Penetration Testing Reconassaince Command Line Tricks Dig, Mass Domain Resolution, Ping Sweeping

Here are some simple command line tricks to help while doing recon on your target network/host
A simple way to automatically resolve domain names, can be used with a for loop to resolve a massive list of domain names, you can also add a cronjob and create an .out file if you want to track domain name resolution changes. First lets set a regular expression variable that will extract only a legit IPs from the output:
root@computersecurity:~/# IP=(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)
now lets use the variable to do a simple domain name resolution and only return the IP address of the domain being resolved (we’ll remove Google’s DNS server from the results)
root@computersecurity:~/# dig @ | grep -E -o $IP | grep -v
– The raw output is just the IP below:
 Another easy way to profile your target is to download their webpage content or homepage and extract out all of the subdomains out and resolve them to IP addresses to map out their network infrastructure, here is an example below of the index page of msn:
root@computersecurity:~/# wget
–2016-06-25 00:52:45–
Resolving (…
Connecting to (||:80… connected.
HTTP request sent, awaiting response… 200 OK
Length: 40206 (39K) [text/html]
Saving to: ‘index.html’index.html          100%[===================>]  39.26K  –.-KB/s    in 0.01s2016-06-25 00:52:45 (2.97 MB/s) – ‘index.html’ saved [40206/40206]
We run this simple command:
root@computersecurity:~/# for url in $(grep -o ‘[A-Za-z0-9_\.-]*\.*’ index.html | sort -u); do host $url | grep “has address”|cut -d” ” -f4;done
Just like that we see that msn has a lot of subdomains hosted all over the place
Once you have IP ranges and you are authorized to touch them we can write a simple bash script that do a ping sweep of a network in seconds – here is the sweep of my own network completing in less than a second

root@computersecurity:~/# cat >
for ip in $(seq 1 255); do
ping -c 1 192.168.1.$ip | grep “bytes from” | cut -d” ” -f4 | cut -d”:” -f1 &
root@computersecurity:~/# chmod +x *.sh
root@computersecurity:~/# ./

Please follow and like us: