DNS Resolutions: Identifying Live Targets :-Vertical RECON.

Hacktivist-Attacker
6 min readMay 3, 2024

--

Hey..,Dudes!!!. I am here Stand for the Blog “DNS Resolutions: Identifying The Live Hosts Of Our Target’s..”

An Visually Concept to The Blog…

In the Previous Blog(Subdomains Enumeration) we could able to expand our Target’s Assets. Now its Time to filter our Target’s Live Assets.
In DNS Resolution , We will hunt our target’s live Assets(Subdomains) and Profiling(Screenshot) Them.

One Note About The Reconism List :

The Profile Hacktivist-Attacker contains The “List” “RECONISM: Reconnaissance For Bug Bounty/Web Pentesting.”. Which is the Massive Collection of Reconnaissance/Information Gathering Techniques In Web Penetration Testing(METHODOLOGY). The Series And Continuous Blog for The Reconnaissance are Posted on the List. So I highly recommend you to Use the List for learn Deeply and practically the Reconnaissance..

RECONISM LIST’S LINK:

RECONISM: Reconnaissance For Bug Bounty/Web Pentesting

10 stories

Okay..!! Lets We Start our Graceful Journey to the DNS Resolution...!!

I love the Nature….!!! What About you..?

DNS RESOLUTION:- INTRODUCTION:

As We already said, The DNS Resolution is All About finding and exploring our Target’s live Hosts. We Can gather lot of information, but its very important to verify all them are Matter or Not.

Why Its Needed ?

Companies are Evolves Continuously. They will update their system Regularly. Once they created their system and made changes, no matter all information will stay from the starting to Current . However, Some Information can be altered when they changed Somethings. (DNS Records, Web Functions.etc..).

We gather the information by the Historical Mechanisms Like (Wayback Machine and DNS Database). Also we use our tools that can be give somethings incorrectly. So Its Need to do the DNS Resolution.

NOTE:

In Security Testing , We Did Not Resolute the Assets(Hosts) only. There Are Lot we Need To Resolute When its come to Information Gathering. So, In this Stage we only Resolute The Assets(that is why it called as DNS Resolution). After, All other Resolution Will conduct on the Recon’s flow when we do it!!

What Are In This DNS Resolution Blog..?

This DNS Resolution Contains Two Techniques Resolute.They are…,

  1. Identifying Live Hosts → We will filter the Live subdomains of Our Target.
  2. Profiling Live Hosts → Taking the Screenshot to the Live Subdomains of our Target.

DNS RESOLUTION:- Identifying The Live Hosts:

Once we gathered all our subdomains, then we pass them on the DNS Resolution Tools. The Tools Identifying the live hosts by Requesting DNS Records and Making Request to Them.

Let we check the Heartbeats…!!

1.httpx → Fast and Multi-Purpose HTTP toolkit that allows running multiple probes.

https://github.com/projectdiscovery/httpx

projectdiscovery’s httpx Tool

Install:

go install -v github.com/projectdiscovery/httpx/cmd/httpx@latest

Usage:


#Usage for Probing live Targets:

httpx -l all-subs.txt -sc -ip -rl 10 -o alive_subs.txt

#Usage Explanation:

-l : File that conatins list of subdomains
-sc : output the status code
-ip : output the IP address of the host
-rl : Make Requests per Second
-o : Output the live domains in the file

Note:

These Automated Tools Will Actively Interact with our Target by Making HTTP Request. Making High Values Of request against the Company’s Policy Can Consider as Illegal Activity. So Always keep In your Safe Zone when You cannot Control Such Things..…!!!!

Once the tool did work , it will output the result “alive_subs.txt” which is contains the live Subdomains, IP And Status Code.

DNS RESOLUTION:- Profiling The Live Hosts:

Once We found the Subdomains Of our Target there will be available lot. Rather than We open all subdomains manually one by one , We could decide the State of the Subdomains by Taking Screenshot them in Automatically.!!!.

Let We Look like Lens..!!!!

1.Eyewitness → EyeWitness is designed to take screenshots of websites provide some server header info, and identify default credentials if know.

https://github.com/RedSiege/EyeWitness

Install:

#clone the Repository and Navigate to the Cloned Directory
git clone https://github.com/RedSiege/EyeWitness.git ; cd EyeWitness; cd Python

#Run The Installation Script (Run as Root):
sudo ./setup/setup.sh

Usage:

python3 EyeWitness.py -f alive_subs.txt --web --threads 10

#Usage Explanation:
-f : Specify the file that Contains List subdomains
--web : Take HTTP Screenshots
--threads : Number Of Requests Made per Seconds.
#More Usage:
#All usages for the tools can be found by Running The Command Below:
python3 EyeWitness.py -h
Eyewitness attempt to take Screenshots….

By Default, The Tool would save all your targets screenshots in a folder Named by Time Stamp. Its Also Create an HTML file Report , that contains the Screen shots. Also It contains the Response HTTP Headers and Source Code.

Eyewitness Tool Report..

2.Gowittness → An website screenshot utility written in Golang , that uses Chrome Headless to generate screenshots of web interfaces using the command line. Improved By the EyeWitness Tool.

https://github.com/sensepost/gowitness/

Sensepost’s Gowitness

Tool Requirements:

#Install Requirements
Google Chrome
Chromium

#Install:
1.Download the Deb Official Sites
2.Install Deb Package.

Install

go install github.com/sensepost/gowitness@latest

#NOTE: Installing from go Command Using The To The Command line Reqiures to "/go/bin" as the part of PATH Enviroinment Varivale.

Usage:

#Usage:

gowitness file alive_subs.txt

#Usage Explanation:

file -f : Specify the file that Contains List subdomains

#More Usage:
#All usages for the tools can be found by Running The Command Below:

gowitness -h
Gowitness done screenshot and Serve the report…

By default, the Gowitness would take the screenshots , identify technologies and Create An Database report which can be run on the local server. Once it Did Screen shot , then you can start the local server and navigate to the Screenshots..

Run the Report server:

gowittness server
Gowitness Report server result….

Once all the Screen shots were Gathered you can Scroll them and Analyze them Manually. Its very easy to scroll the screenshots and analyze the Results comparing than Requesting and looking one by one.

Quote For The Day..

When You Stop Chasing the Wrong Things, You Give the Right Things a Chance to Catch You.” — Lolly Daskal

Yeah…, We Come To the End to this Blog. There are lots of tools are Used DNS Resolution. You can use Which is perfectly Suits for You.
There Is No Doubt, I Always hope that the Blog would helped to you As much As Possible. However , Thanks To Reading The Blog Till to Its Ends. No Matter how its longer or Short. I Am Very Happy for you Read The Blog. We Will Meet On the Next Blog “DNS Resolutions: Guide To Subdomain Takeovers

Will Meet Later..,Because “Good things are take time”…..

--

--

Hacktivist-Attacker
Hacktivist-Attacker

Written by Hacktivist-Attacker

The Person Who Can Help You To Become A Best Version in The World Of Web Penetration Testing/Bug Bounty..

No responses yet