Is nslookup counts in passive recon?

chlsmillar · July 19, 2022, 9:26am

Hi CIP!
I’m doing red team for the first time. I want to know is nslookup counts in passive recon?

for i in cat linux.hosts; do nslookup $i | grep ^Name -A1| awk ‘{print $2}’;echo;done > outputfile
I want to run this script, should i do that or it will raise any flags?
I’m doing as i want ips of from my created subdomains list.

shatteredglassedge · July 19, 2022, 9:28am

If it is in a short amount time, it will definitely be possible to raise a flage.
I would suggest to use search engines / shodan.io or maybe criminlaip.io / certificate databases
that’s more like “passive recon”

chlsmillar · July 19, 2022, 9:29am

any alts to automate it ?

shatteredglassedge · July 19, 2022, 9:29am

maltego and lots of $$

user36 · July 19, 2022, 9:30am

But you’re not querying the target’s services directly necessarily with a nslookup.

shatteredglassedge · July 19, 2022, 9:31am

i am also looking for something similar like maltego but not so expensive

user36 · July 19, 2022, 9:31am

I’d say if you’re just querying public DNS records about a domain, then it’s passive… if you’re brute forcing subdomains etc., then it’s active.

user36 · July 19, 2022, 9:32am

But that’s just my two cents, I’m sure others would disagree, lol

shatteredglassedge · July 19, 2022, 9:32am

i would agree with user36

chlsmillar · July 19, 2022, 9:33am

cant risk it. dont want to beacome the punching bag of seniors

shatteredglassedge · July 19, 2022, 9:34am

first rule for a healthy workspace: it must be allowed to make failures and learn from them.

chlsmillar · July 19, 2022, 9:34am

sadly it does not applies if there hardcore office politics goin on

shatteredglassedge · July 19, 2022, 9:35am

then you better cover your as. as i said: if you can split up the request for example via tor and let it run over a longer timeframe, i’d say it’s really hard to identify as active recon or ask different nameservers