Passive reconnaissance involves collecting target information without direct interaction, typically using search engines and public databases. Common techniques include DNS resoltuion, WHOIS lookups, and subdomain enumeration.
DNS Resolution Methods
DNS translates domain names to IP addresses. Python's socket module can perform basic DNS lookups:
import socket
target_ip = socket.gethostbyname('example.com') print(f"Resolved IP: {target_ip}")
</div>### WHOIS Data Collection
The python-whois library retrieves domain registration details:
<div>```
from whois import whois
domain_info = whois('example.com')
print(domain_info)
Subdomains can reveal additional attack surfaces. Here's a Bing-based discovery tool:
import requests from bs4 import BeautifulSoup
def find_subdomains(domain, pages): headers = {'User-Agent': 'Mozilla/5.0'} found = set()
for page in range(pages):
url = f"https://bing.com/search?q=site:{domain}&first={page*10}"
response = requests.get(url, headers=headers)
soup = BeautifulSoup(response.text, 'html.parser')
for link in soup.find_all('a'):
href = link.get('href')
if domain in href:
found.add(href.split('//')[1].split('/')[0])
return found
subdomains = find_subdomains('example.com', 3) print(subdomains)
</div>Email Harvesting Techniques
---------------------------
Email collection helps in social engineering assessments. This script searches multiple engines:
<div>```
import re
def extract_emails(text):
return re.findall(r'\b[\w.-]+@[\w.-]+\.\w{2,4}\b', text)
def search_emails(domain, pages):
engines = [
f"https://google.com/search?q=email+site:{domain}",
f"https://bing.com/search?q=email+site:{domain}"
]
emails = set()
for engine in engines:
for page in range(pages):
url = f"{engine}&start={page*10}"
response = requests.get(url)
emails.update(extract_emails(response.text))
return emails
found_emails = search_emails('example.com', 2)
print(found_emails)