Join the Webinar | Strong Protection Against Cyber Threats

Expanding the Scope and Gathering Information in Penetration Tests

Step of collecting information about the target system during penetration tests scope expansion is very important for. An application made with the Blackbox methodology in which only the target domain is known. pentest There are several different methods and tools that can be applied to expand the scope of the scenario.


Penetration tests basically proceed through two different scenarios: internal network and external network tests.

External Network Penetration Tests

If the pentester is on the system's external network, there are a few different steps that need to be set up before attacking. In order to expand the scope of a successful external network penetration test, pentester should answer the following questions:

  • Are there different domains or subdomains (subdomains) connected to the system? (such as – domain; – subdomain)
  • Are there IP addresses, network ranges, and ASN numbers assigned on the target system?
  • What services and open ports are running on the discovered IP addresses?
  • What are the email addresses of people working at the target company?
  • What are the different operating systems and software used by the target company?

In addition, whether the target company has experienced a data leak before is of great importance in order to expand the scope.

Internal Network Penetration Tests

Let's assume that the pentester has entered the internal network, or that the attacker is one of the company employees. The consequences of an attack in such a situation may have different effects. When the penetration tester enters the internal network of the target system, he must do the following to expand his working area:

  • If the pentester is on the guest network, it should attempt to access internal network ranges.
  • DNS name resolution must be done.


It is the stage where information is collected in order to expand the scope of a penetration test. In the fingerprinting step, all information about the target is collected and recorded. This step, which we can translate into Turkish as fingerprint collection; It is basically divided into two: Active Information Gathering and Passive Information Gathering.

Passive Information Gathering The methods applied in this step are:

  • Whois query
  • ASN number
  • Enumeration (mapping) study from domain
  • Discovery of public IP addresses
  • Reverse DNS lookup via external websites

Active Information Collection The methods applied in this step are as follows:

  • Examining DNS, MX, AAAA, and A records
  • Examining DNS Zone transfers
  • Review of SRV records
  • Port scanning studies

If you remember, our article External Network Penetration Tests in the section scope expansion We talked about the questions that need to be answered. When the questions in this section are combined with the methods above, the following table emerges:

Are there different domains or subdomains (subdomains) connected to the system?Whois, DNS-MX/AAAA/A/SRV records, domain and enumeration (mapping)
Are there IP addresses, network ranges, and ASN numbers assigned on the target system?DNS records, ASN number, DNS Zone transfers
What services and open ports are running on the discovered IP addresses?Public IP scans, port scans
What are the email addresses of people working at the target company?Harvester, LinkedIn
What are the different operating systems and software used by the target company?FOCA tool

Passive Information Collection (Passive Fingerprinting)

Whois Query

Whois provides information such as the establishment date, expiration date and current status of the domain. It operates on TCP port 43 and is an internet service. Whois gives different results depending on whether the IP address or domain is used in the query:

  • For the domain, it only returns information such as the name of the person/institution that registered the domain.
  • For the IP address, it also brings more sensitive information such as net-block and ASN number.

It can also be used via the command line on Linux systems:


ASN Number (Autonomous System Number)

The IP blocks in the target system can be learned by examining the ASN or Autonomous System Number participating in the Border Gateway Protocol (BGP) of the target company. Using Team CMRU's whois service, the ASN number can be found as follows:

whois -h ” -v ip_adresi”


Detailed information about the target system can be collected with recon-ng, a tool developed for discovery studies. For this purpose, there are some commands that can be applied after running recon-ng.

  • use recon/domains-hosts/bing_domain_web: Collects information about the target using Bing.
  • use recon/domains-hosts/google_site_web: Collects information about the target using Google.
  • use recon/domains-hosts/brute_hosts: Tries to resolve host names using DNS.
  • use recon/hosts-hosts/resolve : Resolves the host's IP address.
  • use reporting/csv : Creates a CSV file containing the specified data.

The Harvester

A large scale information gathering tool which is The Harvester; It collects information such as e-mail addresses, virtual hosts, different domain addresses and shodan results. It can bring detailed information including the server version of the target system and the operating system it is running.

Enumeration from Domain (Mapping with Domain Name)

pentesters, Scope expansion in pentests They also do mapping during the process. There are different methods used for this:

DNS Dumpster API

DNS Dumpster's API can be used to list subdomains connected to the domain:

curl -s > hostsearch

Additionally different DNS queries can be made:

curl -s > dnslookup

Google Dorking

Very different information about the target can be obtained with the dorks, which we can call the commands we give to the search engines. Some dorks that can be used are:

  • site: It only lists results related to the specified site.
  • filetype: It only lists files with the specified extension.
  • allinurl/inurl: Lists URL addresses containing the specified parameter.
  • allintitle/intitle: Lists results with a title containing the specified parameter.

Scans of Public IP Addresses

External websites such as Shodan are used to access public information of the IP address.

Reverse DNS Lookups Via External Websites

Even if all the steps mentioned above are done successfully, different IP addresses may be overlooked from time to time. For this purpose, new IP addresses related to the target can be discovered as a result of Reverse DNS analysis by using different websites.

Websites that can be used for reverse DNS lookups are:

  • Reverse IP Lookup by Domaintools: Returns Whois records and reverse IP queries in domain name queries.
  • Robtex: Lists detailed information about the target domain. Such as DNS addresses, IP addresses, redirects, ASN numbers..

Active Information Collection (Active Fingerprinting)

In the passive information collection step, after all information is collected without contacting the target, the active information collection step is started to collect more information and gain in-depth knowledge.

Examining DNS, MX, AAAA and A Records

There are some Linux commands that can be used to detect DNS, MX, AAAA and A records:

  • Shoo
  • Nslookup

DNS Zone Transfer

There are some Linux commands that can also be used to examine DNS zone transfer:

  • Shoo
  • dig
  • dnsrecon
  • DNSEnum

Review of SRV Records

To examine the SRV records related to the target system, dig, Shoo And nslookup commands can be used.

Internal Network Mapping

Complete the above steps and connect to the external network of the target system. enumeration After doing this, mapping should also be done on the internal network.

Defining the Internal Network IP Range

Discovering the IP block of the target system's internal network is also very important to achieve successful results in the later stages of pentesting.

  1. Pinging Gateway IP Addresses

Other IP addresses in the internal network can be detected with the nmap -sn -v -PE 192.168.*.1 command.

  1. Reverse DNS Lookup

After reaching the target's internal network, a reverse DNS lookup can be performed with Nmap. Scanning with the following command gives the hostname of the IP addresses.

nmap -sL

Detection of Live IP Addresses

You can check whether the target system is up or not by performing a ping scan with Nmap. For this "nmap -sn -n ip_address” command can be used.

Port Scan

After detecting live IP addresses, open ports must be detected. For this, Nmap offers several different options:

  • -sS TCP Syn Stealth: Semi-explicit SYN scanning
  • -sT TCP Connect Scan: Performs a SYN scan using Nmap system, full TCP handshake occurs.
  • -sU UDP Scan
  • -sA ACK Scan: Used to map firewall rules.

Determining the Versions of Services

The service version of the target system can be detected with Nmap. The parameter that should be used for this is the "sV" parameter.

SNMP Enumeration

SNMP (Simple Network Management Protocol – Simple Network Management Protocol) is a basic application layer protocol that assists the network administrator in managing the network. It is designed to facilitate the configuration and control of devices in large-scale networks.

Tools available for SNMP mapping include:

  • snmcheck
  • snmpwalk

Scope expansion in pentests There are also some browser add-ons that can be used for. Plugins such as Whatweb, Wapplyzer and ChromeSnifferPlus also provide various information about the target system.



Categories Articles