1
00:00:00,830 --> 00:00:06,650
The information that is targeted for collection is dependent on the initial goal of the penetration

2
00:00:06,650 --> 00:00:07,190
test.

3
00:00:17,540 --> 00:00:24,860
For example, if testers want to access a personal health records, they will need the names and biographical

4
00:00:24,860 --> 00:00:27,440
information of relevant parties involved.

5
00:00:27,620 --> 00:00:33,290
Like their usernames and their passwords, third party insurance companies, health care providers,

6
00:00:33,290 --> 00:00:38,500
head of I.T. operations in any industry, commercial suppliers and so on.

7
00:00:38,510 --> 00:00:44,600
If the wrath of an attack involves social engineering, they may supplement this information with details

8
00:00:44,600 --> 00:00:49,100
that give credibility to the request for information such as.

9
00:00:49,770 --> 00:00:56,100
Domain names, identification of targets for the attackers or penetration testers during an external

10
00:00:56,100 --> 00:01:04,740
scenario begins with domain names, which is the most circular element of open source intelligence subdomains.

11
00:01:04,770 --> 00:01:07,900
These are the domains that are part of the main domain.

12
00:01:07,920 --> 00:01:13,650
For example, if the domain offered to the target is sampled dot com, it might be used them or dot

13
00:01:13,650 --> 00:01:19,470
sample dot com production dot sample, dot com e-commerce, dot sample, dot com and so on.

14
00:01:19,500 --> 00:01:27,360
Identification of these domains will provide the attackers with a wider range of assets to assess in

15
00:01:27,360 --> 00:01:28,950
reconnaissance phase.

16
00:01:30,880 --> 00:01:37,180
Dense entries in today's cyber world, everything can be potentially networked.

17
00:01:37,660 --> 00:01:44,230
This means each device that is connected to the internet has unique IP addresses assigned to it.

18
00:01:44,260 --> 00:01:51,960
Likewise, that DNS entries are list of human friendly names that are assigned with specific IP addresses.

19
00:01:51,970 --> 00:01:58,900
For example, demo that sample dot com that is translated to an IP address is the format of, for example,

20
00:01:58,900 --> 00:02:04,540
120 point x point x .245.

21
00:02:04,540 --> 00:02:16,690
So DNS entries include a hostname and TSS name server C name canonical name M ex mail exchanged for

22
00:02:16,720 --> 00:02:27,520
a DNS record to IPV six and as our way service record rt x TX which is text record obviously and P to

23
00:02:27,520 --> 00:02:32,370
your point or record which is opposite to the A record.

24
00:02:32,380 --> 00:02:38,860
So all this information will provide the attackers not only with the details relating to the DNS, but

25
00:02:38,860 --> 00:02:44,230
also a wide range of other information such as what type of server service they run.

26
00:02:44,230 --> 00:02:51,580
So which attackers can utilize the beginning keeping the attack strategy Mail Exchange.

27
00:02:51,760 --> 00:02:59,440
Although we will find the Amex records from the dense entries identifying the mail exchange is treated

28
00:02:59,440 --> 00:03:06,640
as a completely different set of enumeration, since most of the time they involve a third party that

29
00:03:06,640 --> 00:03:14,350
provides mail delivery services which can be potentially utilized by the attackers to send bulk emails

30
00:03:14,350 --> 00:03:20,770
by exploiting the SMTP normal functionality of the mail relay.

31
00:03:22,780 --> 00:03:30,460
Dense reconnaissance and route mapping once a test that has identifying the target that has an online

32
00:03:30,460 --> 00:03:33,650
presence and contains items of interest.

33
00:03:33,670 --> 00:03:39,790
The next step is to identify the IP addresses and routes to the target system.

34
00:03:39,790 --> 00:03:47,200
So DNS reconnaissance is concerned with the identifying who owns a particular domain or series of IP

35
00:03:47,200 --> 00:03:47,980
addresses.

36
00:03:48,280 --> 00:03:50,050
Information such as who is.

37
00:03:50,050 --> 00:03:57,250
Although this has changed a lot after the General Data Protection Regulation and the DNS information

38
00:03:57,250 --> 00:04:04,180
defining the actual domain names and IP addresses assigned to the target and the route between the penetration

39
00:04:04,180 --> 00:04:08,650
tester or the attacker at the final target.

40
00:04:08,650 --> 00:04:12,240
So this information gathering is semi active.

41
00:04:12,250 --> 00:04:18,640
Some of the information is available from freely available sources, while other information is available

42
00:04:18,640 --> 00:04:22,240
from third parties such as DNS registrars.

43
00:04:22,240 --> 00:04:28,570
So although the registrar may collect IP addresses and data concerning requests made by the attacker,

44
00:04:28,570 --> 00:04:31,570
but it's rarely provided to the end target.

45
00:04:31,570 --> 00:04:37,930
So the information that could be directly monitored by the target, such as DNS server logs, is almost

46
00:04:37,930 --> 00:04:39,720
never received or retained.

47
00:04:39,730 --> 00:04:47,110
So because the information needed can be queried using a defined systematic and methodological approach,

48
00:04:47,140 --> 00:04:49,840
its collection can be automated.

49
00:04:49,870 --> 00:04:56,380
In next section, we will discuss how easy it will be to enumerate all the domain names just by using

50
00:04:56,380 --> 00:04:59,800
simple tools that are pre-installed within Chalo Linux.

51
00:04:59,800 --> 00:05:03,100
My name is Typhoon and I'm waiting you in next lecture.