-
Notifications
You must be signed in to change notification settings - Fork 23
Additional Active Intel Gathering
Chopicalqui edited this page Feb 19, 2022
·
2 revisions
In addition to the Semi-Passive Domain Info Gathering and the Full Active Intel Gathering use cases, the following commands can be executed on in-scope domains and IP addresses:
# perform active DNS enumerations (including zone transfer testing) on in-scope second-level domains. note that we
# might want to specify a specific DNS server to test for DNS zone transfers
dns_server=
docker exec -it kaliintelsuite kiscollect -w $ws --debug --strict -t5 --dnsamassactive --dnsaxfr \
--dnsdkim --dnsdmarc --dnsenum --dnsgobuster --dnshostpublic --dnsrecon --dnstakeover --httpsqlmap --smtpuserenum \
--vhostgobuster --dnshostpublic --dns-server $dns_server --autostartIn addition, we might want to find additional domains using dnsgen and massdns:
docker exec -it kaliintelsuite bash
(.venv) kis_shell> ws=
(.venv) kis_shell> kisreport domain -w $ws --csv --scope within | csvcut -c "Host Name (HN)" | sort -u | dnsgen - | \
massdns -r /opt/lazydns/resolvers.txt -c 5 -t A -o S --flush 2> /dev/null
[...]
(.venv) kis_shell> exitAt the end of use case, we do a final DNS lookup to ensure that all collected host names are resolved. This ensures that the data is complete for the final report.
docker exec -it kaliintelsuite kiscollect -w $ws --debug --strict -t5 --dnshostpublic --autostartFinally, we might want to re-run the entire process to collect further information.