WEBVTT 00:00.830 --> 00:06.650 The information that is targeted for collection is dependent on the initial goal of the penetration 00:06.650 --> 00:07.190 test. 00:17.540 --> 00:24.860 For example, if testers want to access a personal health records, they will need the names and biographical 00:24.860 --> 00:27.440 information of relevant parties involved. 00:27.620 --> 00:33.290 Like their usernames and their passwords, third party insurance companies, health care providers, 00:33.290 --> 00:38.500 head of I.T. operations in any industry, commercial suppliers and so on. 00:38.510 --> 00:44.600 If the wrath of an attack involves social engineering, they may supplement this information with details 00:44.600 --> 00:49.100 that give credibility to the request for information such as. 00:49.770 --> 00:56.100 Domain names, identification of targets for the attackers or penetration testers during an external 00:56.100 --> 01:04.740 scenario begins with domain names, which is the most circular element of open source intelligence subdomains. 01:04.770 --> 01:07.900 These are the domains that are part of the main domain. 01:07.920 --> 01:13.650 For example, if the domain offered to the target is sampled dot com, it might be used them or dot 01:13.650 --> 01:19.470 sample dot com production dot sample, dot com e-commerce, dot sample, dot com and so on. 01:19.500 --> 01:27.360 Identification of these domains will provide the attackers with a wider range of assets to assess in 01:27.360 --> 01:28.950 reconnaissance phase. 01:30.880 --> 01:37.180 Dense entries in today's cyber world, everything can be potentially networked. 01:37.660 --> 01:44.230 This means each device that is connected to the internet has unique IP addresses assigned to it. 01:44.260 --> 01:51.960 Likewise, that DNS entries are list of human friendly names that are assigned with specific IP addresses. 01:51.970 --> 01:58.900 For example, demo that sample dot com that is translated to an IP address is the format of, for example, 01:58.900 --> 02:04.540 120 point x point x .245. 02:04.540 --> 02:16.690 So DNS entries include a hostname and TSS name server C name canonical name M ex mail exchanged for 02:16.720 --> 02:27.520 a DNS record to IPV six and as our way service record rt x TX which is text record obviously and P to 02:27.520 --> 02:32.370 your point or record which is opposite to the A record. 02:32.380 --> 02:38.860 So all this information will provide the attackers not only with the details relating to the DNS, but 02:38.860 --> 02:44.230 also a wide range of other information such as what type of server service they run. 02:44.230 --> 02:51.580 So which attackers can utilize the beginning keeping the attack strategy Mail Exchange. 02:51.760 --> 02:59.440 Although we will find the Amex records from the dense entries identifying the mail exchange is treated 02:59.440 --> 03:06.640 as a completely different set of enumeration, since most of the time they involve a third party that 03:06.640 --> 03:14.350 provides mail delivery services which can be potentially utilized by the attackers to send bulk emails 03:14.350 --> 03:20.770 by exploiting the SMTP normal functionality of the mail relay. 03:22.780 --> 03:30.460 Dense reconnaissance and route mapping once a test that has identifying the target that has an online 03:30.460 --> 03:33.650 presence and contains items of interest. 03:33.670 --> 03:39.790 The next step is to identify the IP addresses and routes to the target system. 03:39.790 --> 03:47.200 So DNS reconnaissance is concerned with the identifying who owns a particular domain or series of IP 03:47.200 --> 03:47.980 addresses. 03:48.280 --> 03:50.050 Information such as who is. 03:50.050 --> 03:57.250 Although this has changed a lot after the General Data Protection Regulation and the DNS information 03:57.250 --> 04:04.180 defining the actual domain names and IP addresses assigned to the target and the route between the penetration 04:04.180 --> 04:08.650 tester or the attacker at the final target. 04:08.650 --> 04:12.240 So this information gathering is semi active. 04:12.250 --> 04:18.640 Some of the information is available from freely available sources, while other information is available 04:18.640 --> 04:22.240 from third parties such as DNS registrars. 04:22.240 --> 04:28.570 So although the registrar may collect IP addresses and data concerning requests made by the attacker, 04:28.570 --> 04:31.570 but it's rarely provided to the end target. 04:31.570 --> 04:37.930 So the information that could be directly monitored by the target, such as DNS server logs, is almost 04:37.930 --> 04:39.720 never received or retained. 04:39.730 --> 04:47.110 So because the information needed can be queried using a defined systematic and methodological approach, 04:47.140 --> 04:49.840 its collection can be automated. 04:49.870 --> 04:56.380 In next section, we will discuss how easy it will be to enumerate all the domain names just by using 04:56.380 --> 04:59.800 simple tools that are pre-installed within Chalo Linux. 04:59.800 --> 05:03.100 My name is Typhoon and I'm waiting you in next lecture.