Recognition
Active research
host [domain_name] # get IPv4 IPv6
whois [domain_name] # allows you to retrieve information about the dns servers used (available ip server, owner name, address)
dig [domain_name] # retrieve DNS addresses. Other information can be retrieved with the -h
dnsenum [domain_name] # retrieve DNS records and Nx server
theharvester -d [domain_name] # recovery of emails, host names
fping/ping # check the presence of a machine on the network
fping -g [network] # gives all the addresses of the network that are reachable
Load Balancing Detection
Load balancing detection is needed to eliminate inconsistency in results. It is very essential to determine the range of IP addresses which should be included in the scope of the test.
When dealing with servers with load balancing, the results of regular tests may vary due to the load balancer in work. Sometimes we may get different IP addresses when we ping the host at different times during a test. This is because a DNS-load balancer might be in place.
A set of techniques for distributing a workload among different computers in a group. These techniques make it possible to respond to an excessive load of a service by distributing it over several servers, and to reduce the potential unavailability of this service that could result from the software or hardware failure of a single server.
lbd
lbd [domain-name] [port,] will check if a domain uses load balancing.
Passive research
whois
- Look for information on a site (available ip server, owner name, address,...). You have to protect your site when you create it (in the params so as not to be visible in the public databases).
- Allows to get information about the DNS servers used
Online Tools
- Exploit DB: simplified google searches, usable sites.
- Company Search: information about a US company
- Web Archive: know the old versions of the sites (when the updates took place...)
- Shodan.io: search for objects connected to the Internet with a visible IP address (server, camera, printers...)