Dossiers utilities are a type of reconnaissance one can perform before attempting a penetration test. Two we discuss here are domain and email dossiers.
The domain dossier can run a scan on a domain. The first item of importance is a whois record. The domain whois is a record of who created and maintains the domain address. If the whois publicly available, there was no protection applied, it can be useful for a spear phishing campaign. The registrant’s name, location, and email can build a persona used for campaigns. Emails can be analysed for format requirements.
Another item of note is the nameservers of the domain. You can see if they’re using a small business or large corporation (i.e. Gandi or CloudFlare). Would you be able to perform a Denial of Service attack?
The second report is the network whois record. First, the IP address range and network names are presented. You can see the location, and registrant information, much like the domain whois. You can also sometimes see the host, as a lot of organizations will use the same site host as a domain registrar.
The domain name service DNS records give you the routing for a given domain. It can give you an idea of the servers and load balancing. The traceroute gives you an idea of the path between you and the service. Keep in mind that some devices block the report back so that you might see * in place of those. You might notice that the final reporting device reports back a different domain than the one you queried. This usually means the victim is on a server with multiple tenants. In that case, we must be careful as our attacks might affect other customers.
Some utilities give you a service scan, which gives you an idea of specific services that are available for you to exploit. Some of these are SSH, S/FTP, HTTP, and SMTP for example. If ports and services are open, you can get more information about that service. If port 80 or 443 are available to be queried, are they using Nginx or Apache (httpd)?
Email dossiers allow you to query email addresses. Who would’ve guessed? An email may be rejected with a confidence level of 0, or found with a confidence level of 3. It will attempt to connect to the mail server (i.e. SMTP) and try to identify if an email is used or not. Going back to the previous example of domain dossiers, if we can identify an organizations format for emails, this can be used to further plan our attack.
These useful tools can be found for free on the internet. Central Ops provide an amazingly free resource for this purpose. When you use them in conjunction with some of the other reconnaissance methods found here, you’re on the way to a successful planning.