Passive and Active Recon

Passive & Active Recon

The next series of post are from the module Information Gathering – Web Edition, found within HTB’s Bug Bounty Job Role Path. Specifically, this post will cover Passive and Active Information Gathering.

When dealing with passive information gathering, I’ll use Whois and DNS to gather passive information on targets. Both with the objective of understanding and performing Passive Subdomain Enumeration along with Passive Infrastructure Indentification.

When doing Active Infomation Gathering, my focus will be on Active Infrastructure Identification and Active Subdomain Enumeration.

Day 21 –

Passive Information Gathering

Whois–

Perform a WHOIS lookup against the paypal.com domain. What is the registrant Internet Assigned Numbers Authority (IANA) ID number?

What is the admin email contact for the venmo.com domain (also in-scope for the PayPal bug bounty program)?

DNS-

Which IP address maps to paydiant.com?

Which subdomain is returned when querying the PTR record for 173.0.87.51?

What is the first mailserver returned when querying the MX records for paypal.com?

Day 22-

Active Information Gathering

Active Infrastructure Identification

What Apache version is running on app.inlanefreight.local? (Format: 0.0.0)

Which CMS is used on app.inlanefreight.local? (Format: word)

On which operating system is the dev.inlanefreight.local webserver running on? (Format: word)

Days 23-25

Active Sub-domain enumerationy

Submit the FQDN of the nameserver for the “inlanefreight.htb” domain as the answer.

Identify how many zones exist on the target nameserver. Submit the number of found zones as the answer.

Find and submit the contents of the TXT record as the answer.

What is the FQDN of the IP address 10.10.34.136?

What FQDN is assigned to the IP address 10.10.1.5? Submit the FQDN as the answer.

Which IP address is assigned to the “us.inlanefreight.htb” subdomain? Submit the IP address as the answer.

Submit the number of all “A” records from all zones as the answer.