Is nslookup counts in passive recon?

I’m doing red team for the first time. I want to know is nslookup counts in passive recon?

  1. for i in cat linux.hosts; do nslookup $i | grep ^Name -A1| awk ‘{print $2}’;echo;done > outputfile
    I want to run this script, should i do that or it will raise any flags?
    I’m doing as i want ips of from my created subdomains list.

If it is in a short amount time, it will definitely be possible to raise a flage.
I would suggest to use search engines / or maybe / certificate databases
that’s more like “passive recon”

1 Like

any alts to automate it ?

maltego and lots of $$ :wink:

But you’re not querying the target’s services directly necessarily with a nslookup.

i am also looking for something similar like maltego but not so expensive

I’d say if you’re just querying public DNS records about a domain, then it’s passive… if you’re brute forcing subdomains etc., then it’s active.

But that’s just my two cents, I’m sure others would disagree, lol

1 Like

i would agree with user36

cant risk it. dont want to beacome the punching bag of seniors

first rule for a healthy workspace: it must be allowed to make failures and learn from them.

sadly it does not applies if there hardcore office politics goin on

then you better cover your as. as i said: if you can split up the request for example via tor and let it run over a longer timeframe, i’d say it’s really hard to identify as active recon or ask different nameservers