Hackers rely on good data to launch an attack, and reconnaissance is the level of hack in which they must learn as much as possible to develop an action plan. Technical details are a critical part of this image, and with OSINT tools like Maltego, a single domain name is all it takes to query the technical details of an organization from IP address to AS number.
While Maltego is great for human study, it seems like you're researching the technical setup of an organization.
Technical research differs from interpersonal research in that in many cases the information is available with minimal interaction that the researcher needs.
Technically Data Targets
When performing technical reviews, tools such as Maltego make searching for clicks difficult to determine about your goal. Based on the web domain, links to other websites or technologies become visible. While some information may seem magical to the average user, OSINT research can embed these widely dispersed technical details into an extensive contextual map of the structure of the target network and its interaction with the environment.  How to Use Maltego to Fingerprint an Entire Network with Only One Domain Name ” width=”532″ height=”532″ style=”max-width:532px;height:auto;”/>
For a quick overview, you can click the Play button in Maltego to run all the transformations in the domain and many leads to expand to create.
The details we look for when we profile a company's network provide us with more context and information for further use. This can mean anything from an IP address to the MX server that a company uses. Why is that important? The more we know about the goal, the more goals we can train with different cyber weapons in the next phase of our plan.
If we only know details like the MX server, we know which e-mail provider a company uses. Give hackers an edge in a phishing attack. All of these details can be useful depending on what you intend and what you want to do with the information. Let's outline the chain we are creating to better understand the network infrastructure of our goal.
Assignable Network Chain
The network details chain is created by all the launches of the domain name and continues in an ordered sequence to derive more abstract information that other objects can view under the control of the target. In addition to what we need to expand our investigation, we can begin to tie our brand to the services they use from third parties. In this way, a hacker can learn what he internally does and what he outsources and provides the context for other more specific tactics.
Starting with the target domain, we can find the web site hosted on port 80, and others can find web sites that use the same tracking code to identify web real estate owned by the same organization. Next we can see the MX (mail exchanger) and the NS (name server) associated with the domain. It will display the organization's email address and hosting services. From here we can locate the DNS server that points to the site in question and discover all other domains that use the same DNS server. This shows us other sites that own or run the same organization, or other domains that are hosted by the provider to which they outsource web hosting.
Larger organizations can assign a netblock to the various websites and services they offer online, with IP addresses all assigned to the same organization. Above, the AS number (autonomous system number) can be discovered, which is a collection of network blocks, all working with the same external routing policy. This usually belongs to the Internet Service Provider or a larger company and can be used to find other Netblocks owned by the same company.
Down the Chain & Backup Again
Setting up the chain from domain to AS number is helpful for We organized our investigation by giving us a "backbone" for building our intelligence data. If we go all the way to the AS number, we can start to look at the chain and expand what we originally found. This means starting with the AS number, identifying more netblocks in the AS, finding IP addresses in the netblock, and extracting these IP addresses to connected websites or services online.
Step 1: Select the Destination and Discover the Website
In this example, we use the Gap website, which is from a quick Google search on the gap.com domain. Start Maltego and wait for the main window to open. Then click on the logo icon in the upper left corner and select "New".
This opens a blank canvas and allows us to add our first entity. To do this, you can refer to the Entity Palette on the left and type "domain" in the search bar to invoke the domain entity. Once we see the icon, we can drag and drop it onto the screen to begin the investigation.
Once the icon is on the canvas, double-click the text portion of the icon to enter the domain name of your target. In this case, we use "gap.com" to begin our survey on Gap's network.
To find the tracking codes associated with a website, they must first be converted to a web domain. You can do this by right-clicking on the domain entity and typing "Website" in the search bar to see all the domains that point to the resolution of a site. You can do any of the three, but a simple "Quick Lookup" should work well. This should resolve our domain to a website, and from here we can right-click and enter "To Tracking Codes" to execute the tracking code transformation.
While our gap example did not produce any results, it ran against Tesla's website (tesla.com). Below we see the result of the transformation that shows two other associated domains. To find these domains from the found tracking code, we can right-click on the tracking code and then click on "other sites with the same code" to search for other sites with the same tracking code.
These links can be invaluable in finding other domains of the same party, in some cases domains that may not be officially recognized. This allows an attacker to discover linked parts of an organization, ironically tracking how those organizations track users, and that most organizations use a single tracking code to make the analysis in an organization easier.
Step 3: Revealing Name & MX Server
A domain's NS and MX servers can alert us to information about which mail service an organization uses and where its services are hosted. Some organizations will host these servers internally, but the majority does not and uses a third-party service. For a hacker, this information is useful because it can provide valuable pretexts, such as calling the company from the specific service provider they use for the Internet or web hosting.
Finding this information is easy. Right-click on the domain entity we created earlier and type "mx" in the search bar to view the transformations that will resolve the MX server. Click this button to display the MX information, which often indicates which provider the organization uses.
To view the site's NS records, we can right-click the domain and type "ns" to see transformations that deal with name servers. Select "By DNS name – NS (name server)" to get the name server information. This can provide information about whether the organization is using a third-party service to host their domain.
Step 4: Identifying DNS servers
How to learn about the DNS servers that an organization uses (including the previously mentioned MX and NS) , we can use a cluster of transformations that has been developed for it. This transformation set will execute ten different transformations, all of which contain more information about the DNS details of the domain. The following shows the specific transformations that are performed in the group.
To run the entire group, right-click on the domain unit we added earlier, and then select "PATERVA CTAS" to run the to show different groups of transformations. You can select the "Run All" icon next to the "DNS from Domain" transformation set to execute all the transformations it contains.
Once these transformations are complete, the results can be quite dramatic. Below is the result of this domain on a single domain, gap.com. With these pulls, we found 183 DNS records alone, with additional NS and MX records. We can also see other sites associated with the domain.
Once we've collected all the DNS addresses, we can move to the next one
Step 5: Finding the IP Addresses
Well Since we have a set of DNS records, we can resolve them to the IP addresses they point to in order to learn more about the services used by the organization. Many larger organizations will host their own services, and this is an opportunity during Recon where we can begin to figure out which parts are hosted internally or externally.