How To: Conduct OSINT Recon on a Target Domain with Raccoon Scanner

Conduct OSINT Recon on a Target Domain with Raccoon Scanner

Reconnaissance is the phase of an attack where a red team or hacker designs a strategy based on the information they can learn about the target, as well as what the available attack surface looks like. These scans can take time to discover relationships, but Raccoon OSINT scanner coordinates multiple automated scans to produce invasively detailed reports on a target with a single command.

Data about a website like the software powering it, URL registration information, and network information such as associated IP addresses are critical for a hacker to identify which attack might be the most effective. Rather than running separate scans to gather this information, Raccoon scanner forages for available information on targeted domains with a single command.

Domain OSINT Really Fast

While using scanners like Nmap are typical for recon, the ability to discern relationships are often better left for tools like Maltego. In general, Maltego is an excellent tool for discovering relationships and digging deep, but with the Classic edition coming at a substantial price tag, not everyone has access to everything Maltego offers. The community edition comes with restrictions on how many results are returned, making it not always the ideal choice for recon.

On the flip side, Nmap can be better for learning about what ports are open or what types of services are running, allowing you to quickly discern what kind of setup might be running on the other end of a connection. Besides Nmap, there are a large number of different scanners that can be used to gather OSINT information on a target autonomously. In fact, Sn1per is another tool for recon automation that also takes the step of doing vulnerability testing.

What You'll Need

To get started, you'll need to have Kali Linux installed and fully updated (apt update). Also, I found that the installation instructions included in GitHub for Raccoon Scanner didn't work on my Kali system; Because they used Python pip, I used pip3 to install Racoon scanner instead, which worked fine. If you don't have pip3 installed, you can do so with the following apt install command.

apt update
apt install python3-pip

Step 1: Install Raccoon Scanner

To install Raccoon scanner, you can simply type the following command.

pip3 install raccoon_scanner

If this doesn't work, you can also try installing it manually from the tool's GitHub page using the usual git clone method.

Step 2: View Options & Filters

To get started, you can type raccoon --help to see a list of all of the available filters. Since Priceline left me stranded in the hot Nevada desert yesterday, I wanted to use Priceline.com as a test, but after one scan, we found their website blocked our IP address for a week. Be aware Raccoon scanner can trigger this kind of defensive behavior! Because of priceline.com's reaction, we'll be using pbs.org instead.

We can indicate the target we want to use by typing a -t before the website we want to search for.

Usage: raccoon [OPTIONS]

Options:
  --version                      Show the version and exit.
  -t, --target TEXT              Target to scan  [required]
  -d, --dns-records TEXT         Comma separated DNS records to query.
                                 Defaults to: A,MX,NS,CNAME,SOA,TXT
  --tor-routing                  Route HTTP traffic through Tor (uses port
                                 9050). Slows total runtime significantly
  --proxy-list TEXT              Path to proxy list file that would be used
                                 for routing HTTP traffic. A proxy from the
                                 list will be chosen at random for each
                                 request. Slows total runtime
  -c, --cookies TEXT             Comma separated cookies to add to the
                                 requests. Should be in the form of key:value
                                 Example: PHPSESSID:12345,isMobile:false
  --proxy TEXT                   Proxy address to route HTTP traffic through.
                                 Slows total runtime
  -w, --wordlist TEXT            Path to wordlist that would be used for URL
                                 fuzzing
  -T, --threads INTEGER          Number of threads to use for URL
                                 Fuzzing/Subdomain enumeration. Default: 25
  --ignored-response-codes TEXT  Comma separated list of HTTP status code to
                                 ignore for fuzzing. Defaults to:
                                 302,400,401,402,403,404,503,504
  --subdomain-list TEXT          Path to subdomain list file that would be
                                 used for enumeration
  -sc, --scripts                 Run Nmap scan with -sC flag
  -sv, --services                Run Nmap scan with -sV flag
  -f, --full-scan                Run Nmap scan with both -sV and -sC
  -p, --port TEXT                Use this port range for Nmap scan instead of
                                 the default
  -fr, --follow-redirects        Follow redirects when fuzzing. Default: False
                                 (will not follow redirects)
  --tls-port INTEGER             Use this port for TLS queries. Default: 443
  --skip-health-check            Do not test for target host availability
  --no-url-fuzzing               Do not fuzz URLs
  --no-sub-enum                  Do not bruteforce subdomains
  --skip-nmap-scan               Do not perform an Nmap scan
  -q, --quiet                    Do not output to stdout
  -o, --outdir TEXT              Directory destination for scan output
  --help                         Show this message and exit.

If you want to have an increased buffer between you and your target, you can start a Tor service so that all of the scans against your target occur through a Tor relay. To do so, type tor in another terminal window to start a new Tor session, and then type --tor-routing after your target to indicate that Raccoon should connect through Tor.

root@nullbyte:~# raccoon -t priceline.com --tor-routing

 _____                _____    _____    ____     ____    _   _
|  __ \      /\      / ____|  / ____|  / __ \   / __ \  | \ | |
| |__) |    /  \    | |      | |      | |  | | | |  | | |  \| |
|  _  /    / /\ \   | |      | |      | |  | | | |  | | | . ' |
| | \ \   / ____ \  | |____  | |____  | |__| | | |__| | | |\  |
|_|  \_\ /_/    \_\  \_____|  \_____|  \____/   \____/  |_| \_|

4841434b544845504c414e4554

https://github.com/evyatarmeged/Raccoon
----------------------------------------------------------------------------

[!] Testing that Tor service is up...
[!] Validated Tor service is up. Routing traffic anonymously.

### Raccoon Scan Started ###

[#] Trying to gather information about host: priceline.com
[!] Found priceline.com to be a naked domain
[v] Writing DNS query results

[#] Setting Nmap scan to run in the background
[#] Nmap script to run: nmap -Pn priceline.com
[v] Nmap scan started

It's worth pointing out that Tor exit notes are notoriously "dirty," meaning malicious traffic is regularly detected coming from them. Many websites will outright block traffic from Tor because they know it has a high likelihood of being malicious, leading to the scanner being unable to retrieve any results.

Step 3: Select & Scan a Target Domain

We'll do a scan on pbs.org using a Tor proxy. One thing to note is that, due to abuse, many domains blacklist Tor-based IP addresses, which means using a Tor relay may produce fewer results than using a non-"dirty" IP address. Because Tor can be used by anyone, many website operators treat Tor traffic as inherently suspicious.

To begin our scan, we can type the following.

raccoon -t pbs.org --tor-relay

This scan will run for a long time, depending on the size of the target surface area. If you are using the --tor-relay flag, this will also increase time. If you find it running too slow and don't care that the target is being scanned by your IP address, you can also do this step without the Tor relay and use a VPN or proxy.

Step 4: Navigate to the Results & Read Reports

Once the scan is complete, a folder will be created to hold the results of the scan. To find these, type the following into a terminal window to change (cd) into the root, then the scan results, then list (ls) them.

cd
cd Raccoon_scan_results
ls

Now, you should see a list of every website you've run a report against. To proceed, we'll type cd pbs.org because that is the last scan we ran. Finally, we can type ls to see all of the text files available in the report. To open these, we'll use nano.

root@nullbyte:~# ls
 airgeddon  Documents   modwifi     Pictures    Raccoon                  Templates
 Desktop    Downloads   Music       Public      Racoon_scan_results     'respero.pca'
root@nullbyte:~# cd Raccoon_scan_results
root@nullbyte:~# ls
pbs.org
root@nullbyte:~/Raccoon_scan_results# cd pbs.org
root@nullbyte:~/Raccoon_scan_results/pbs.org# ls
dns_mapping.png     nmap_scan.txt   subdomain_fuzz.txt  tls_report.txt  WAF.txt
dns_records.txt     robots.txt      subdomains.txt      url_fuzz.txt    web_scan.txt
root@nullbyte:~/Raccoon_scan_results/pbs.org#

Step 5: Interpret the Scan Reports

To start interpreting the results, we can begin by opening the results of the Nmap scan with nano nmap_scan.txt. With it, we can see the IP address of pbs.org, as well as all of the ports discovered. We can close this window by typing Ctrl-X.

Starting Nmap 7.70 ( https://nmap.org ) at 2018-08-23 02:10 PDT
Nmap scan report for pbs.org (54.225.206.152)
Host is up (0.096s latency).
Other addresses for pbs.org (not scanned): 54.225.198.196
rDNS record for 54.225.206.152: ec2-54-225-206-152.compute-1.amazonaws.com
Not shown: 998 filtered ports
PORT    STATE SERVICE
80/tcp  open  http
443/tcp open  https

Nmap done: 1 IP address (1 host up) scanned in 9.04 seconds

Here, we see that the IP address for pbs.org is 54.225.206.152 and has the expected ports 80 and 443 open to serve web traffic. We can also see a "compute-1.amazonaws.com" address under the rDNS record, giving us initial clues about the service provider used.

Next, we can see a list of subdomains we've discovered beneath the main domain by typing nano subdomains.txt." This list can be used to further identification of vulnerabilities by feeding the results of a vulnerability scanner like Nikto.

[1;34m[#][0;0m Enumerating Subdomains
[93m[!][0;0m Trying to find Subdomains in SANs list
[1;32m[v][0;0m Subdomain detected: ops.pbs.org
[1;32m[v][0;0m Subdomain detected: sentry.pbs.org
[1;32m[v][0;0m Subdomain detected: www-cache.pbs.org
[1;32m[v][0;0m Subdomain detected: jaws.pbs.org
[1;32m[v][0;0m Subdomain detected: video.pbs.org
[1;32m[v][0;0m Subdomain detected: image.pbs.org
[1;32m[v][0;0m Subdomain detected: player.pbs.org
[1;32m[v][0;0m Subdomain detected: login.pbs.org
[1;32m[v][0;0m Subdomain detected: admin.pbs.org
[1;32m[v][0;0m Subdomain detected: teacherline.pbs.org
[1;32m[v][0;0m Subdomain detected: git.pbs.org
[1;32m[v][0;0m Subdomain detected: dipsy-tc.pbs.org
[1;32m[v][0;0m Subdomain detected: koth-qa.svp.pbs.org
[1;32m[v][0;0m Subdomain detected: heart.ops.pbs.org
[1;32m[v][0;0m Subdomain detected: account.pbs.org
[1;32m[v][0;0m Subdomain detected: weta-qa.svp.pbs.org
[1;32m[v][0;0m Subdomain detected: wnet.video-qa.pbs.org
[1;32m[v][0;0m Subdomain detected: www.pbs.org
[1;32m[v][0;0m Subdomain detected: wnet.video-staging.pbs.org
[1;32m[v][0;0m Subdomain detected: docs.pbs.org
[1;32m[v][0;0m Subdomain detected: projects.pbs.org
[1;32m[v][0;0m Subdomain detected: whut-qa.svp.pbs.org
[1;32m[v][0;0m Subdomain detected: ga.video.cdn.pbs.org
[1;32m[v][0;0m Subdomain detected: kids.pbs.org
[1;32m[v][0;0m Subdomain detected: urs.pbs.org
[93m[!][0;0m Trying to discover subdomains in Google
[1;32m[v][0;0m Detected subdomain through Google dorking: shop.pbs.org
[1;32m[v][0;0m Detected subdomain through Google dorking: Labto.pbs.org
[1;32m[v][0;0m Detected subdomain through Google dorking: to.pbs.org
[1;32m[v][0;0m Detected subdomain through Google dorking: LearningMediato.pbs.org
[1;32m[v][0;0m Detected subdomain through Google dorking: Timeto.pbs.org
[1;32m[v][0;0m Detected subdomain through Google dorking: Playto.pbs.org
[1;32m[v][0;0m Detected subdomain through Google dorking: YouTubeto.pbs.org
[1;32m[v][0;0m Detected subdomain through Google dorking: Podcaststo.pbs.org
[1;32m[v][0;0m Detected subdomain through Google dorking: Mediumto.pbs.org
[1;32m[v][0;0m Detected subdomain through Google dorking: KIDSto.pbs.org
[1;32m[v][0;0m Detected subdomain through Google dorking: Mediato.pbs.org
[1;32m[v][0;0m Detected subdomain through Google dorking: PBSKidsto.pbs.org
[93m[!][0;0m Trying to extract subdomains from DNS dumpster
[1;31m[x][0;0m Failed to query DNS dumpster for subdomains
[93m[!][0;0m Bruteforcing subdomains
[1;34m[#][0;0m Done enumerating Subdomains
[1;34m[#][0;0m Enumerating Subdomains
[93m[!][0;0m Trying to find Subdomains in SANs list
[1;32m[v][0;0m Subdomain detected: git.pbs.org
[1;32m[v][0;0m Subdomain detected: login.pbs.org
[1;32m[v][0;0m Subdomain detected: projects.pbs.org
[1;32m[v][0;0m Subdomain detected: ga.video.cdn.pbs.org
[1;32m[v][0;0m Subdomain detected: dipsy-tc.pbs.org
[1;32m[v][0;0m Subdomain detected: whut-qa.svp.pbs.org
[1;32m[v][0;0m Subdomain detected: heart.ops.pbs.org
[1;32m[v][0;0m Subdomain detected: player.pbs.org
[1;32m[v][0;0m Subdomain detected: jaws.pbs.org
[1;32m[v][0;0m Subdomain detected: kids.pbs.org
[1;32m[v][0;0m Subdomain detected: account.pbs.org
[1;32m[v][0;0m Subdomain detected: teacherline.pbs.org
[1;32m[v][0;0m Subdomain detected: www-cache.pbs.org
[1;32m[v][0;0m Subdomain detected: image.pbs.org
[1;32m[v][0;0m Subdomain detected: admin.pbs.org
[1;32m[v][0;0m Subdomain detected: koth-qa.svp.pbs.org
[1;32m[v][0;0m Subdomain detected: urs.pbs.org
[1;32m[v][0;0m Subdomain detected: ops.pbs.org
[1;32m[v][0;0m Subdomain detected: wnet.video-staging.pbs.org
[1;32m[v][0;0m Subdomain detected: weta-qa.svp.pbs.org
[1;32m[v][0;0m Subdomain detected: sentry.pbs.org
[1;32m[v][0;0m Subdomain detected: video.pbs.org
[1;32m[v][0;0m Subdomain detected: wnet.video-qa.pbs.org
[1;32m[v][0;0m Subdomain detected: www.pbs.org
[1;32m[v][0;0m Subdomain detected: docs.pbs.org
[93m[!][0;0m Trying to discover subdomains in Google
[1;32m[v][0;0m Detected subdomain through Google dorking: KIDSto.pbs.org
[1;32m[v][0;0m Detected subdomain through Google dorking: PBSKidsto.pbs.org
[1;32m[v][0;0m Detected subdomain through Google dorking: Playto.pbs.org
[1;32m[v][0;0m Detected subdomain through Google dorking: Avenueto.pbs.org
[1;32m[v][0;0m Detected subdomain through Google dorking: Initiativeto.pbs.org
[1;32m[v][0;0m Detected subdomain through Google dorking: shop.pbs.org
[1;32m[v][0;0m Detected subdomain through Google dorking: Rewireto.pbs.org
[1;32m[v][0;0m Detected subdomain through Google dorking: YouTubeto.pbs.org
[1;32m[v][0;0m Detected subdomain through Google dorking: to.pbs.org
[93m[!][0;0m Trying to extract subdomains from DNS dumpster
[1;32m[v][0;0m Found subdomain in DNS dumpster: dam-qa.pbs.org
[1;32m[v][0;0m Found subdomain in DNS dumpster: fc.pbs.org
[1;32m[v][0;0m Found subdomain in DNS dumpster: sentry-poc.pbs.org
[1;32m[v][0;0m Found subdomain in DNS dumpster: dam-v6poc.pbs.org
[1;32m[v][0;0m Found subdomain in DNS dumpster: source.pbs.org
[1;32m[v][0;0m Found subdomain in DNS dumpster: ocsedge.pbs.org
[1;32m[v][0;0m Found subdomain in DNS dumpster: stationexchange.pbs.org
[1;32m[v][0;0m Found subdomain in DNS dumpster: people.pbs.org
[1;32m[v][0;0m Found subdomain in DNS dumpster: webportal.pbs.org
[1;32m[v][0;0m Found subdomain in DNS dumpster: dam.pbs.org
[1;32m[v][0;0m Found subdomain in DNS dumpster: itdrvpn.pbs.org
[1;32m[v][0;0m Found subdomain in DNS dumpster: remoteapp.pbs.org
[1;32m[v][0;0m Found subdomain in DNS dumpster: soup.pbs.org
[1;32m[v][0;0m Found subdomain in DNS dumpster: images.pbs.org
[1;32m[v][0;0m Found subdomain in DNS dumpster: shares.pbs.org
[1;32m[v][0;0m Found subdomain in DNS dumpster: adfs.pbs.org
[1;32m[v][0;0m Found subdomain in DNS dumpster: clips.pbs.org
[1;32m[v][0;0m Found subdomain in DNS dumpster: creativelabrequest.pbs.org
[1;32m[v][0;0m Found subdomain in DNS dumpster: tableau.pbs.org
[1;32m[v][0;0m Found subdomain in DNS dumpster: dam-dev.pbs.org
[1;32m[v][0;0m Found subdomain in DNS dumpster: 3770-anlz01.pbs.org
[1;32m[v][0;0m Found subdomain in DNS dumpster: 3770-anlz02.pbs.org
[1;32m[v][0;0m Found subdomain in DNS dumpster: 3770-anlz03.pbs.org
[1;32m[v][0;0m Found subdomain in DNS dumpster: 3770-anlz04.pbs.org
[1;32m[v][0;0m Found subdomain in DNS dumpster: mediasoc.pbs.org
[1;32m[v][0;0m Found subdomain in DNS dumpster: audio.pbs.org
[1;32m[v][0;0m Found subdomain in DNS dumpster: mail.pbs.org
[1;32m[v][0;0m Found subdomain in DNS dumpster: autodiscover.pbs.org
[1;32m[v][0;0m Found subdomain in DNS dumpster: backup.vpn.pbs.org
[1;32m[v][0;0m Found subdomain in DNS dumpster: bvweb.pbs.org
[1;32m[v][0;0m Found subdomain in DNS dumpster: dam1-ext.pbs.org
[1;32m[v][0;0m Found subdomain in DNS dumpster: dam2-ext.pbs.org
[1;32m[v][0;0m Found subdomain in DNS dumpster: dns2.pbs.org
[1;32m[v][0;0m Found subdomain in DNS dumpster: dns4.pbs.org
[1;32m[v][0;0m Found subdomain in DNS dumpster: drlist.pbs.org
[1;32m[v][0;0m Found subdomain in DNS dumpster: drmail.pbs.org
[1;32m[v][0;0m Found subdomain in DNS dumpster: ed-dev.pbs.org
[1;32m[v][0;0m Found subdomain in DNS dumpster: r53-vip.pbs.org
[1;32m[v][0;0m Found subdomain in DNS dumpster: open.pbs.org
[1;32m[v][0;0m Found subdomain in DNS dumpster: r53-api-vip.pbs.org
[1;32m[v][0;0m Found subdomain in DNS dumpster: teacherline.pbs.org
[1;32m[v][0;0m Found subdomain in DNS dumpster: www.teacherline.pbs.org
[1;32m[v][0;0m Found subdomain in DNS dumpster: search.pbs.org
[1;32m[v][0;0m Found subdomain in DNS dumpster: newshour.pbs.org
[1;32m[v][0;0m Found subdomain in DNS dumpster: producers.pbs.org
[1;32m[v][0;0m Found subdomain in DNS dumpster: misc-redirect.pbs.org
[1;32m[v][0;0m Found subdomain in DNS dumpster: edsearch.pbs.org
[1;32m[v][0;0m Found subdomain in DNS dumpster: excl.pbs.org
[1;32m[v][0;0m Found subdomain in DNS dumpster: ntbvpn.pbs.org
[1;32m[v][0;0m Found subdomain in DNS dumpster: freshdesk2smartbear.pbs.org
[1;32m[v][0;0m Found subdomain in DNS dumpster: ftp2.pbs.org
[1;32m[v][0;0m Found subdomain in DNS dumpster: itdr.vpn.pbs.org
[1;32m[v][0;0m Found subdomain in DNS dumpster: listserv.pbs.org
[1;32m[v][0;0m Found subdomain in DNS dumpster: mail.public.pbs.org
[1;32m[v][0;0m Found subdomain in DNS dumpster: mxgw1.pbs.org
[1;32m[v][0;0m Found subdomain in DNS dumpster: mxgw2.pbs.org
[1;32m[v][0;0m Found subdomain in DNS dumpster: mxout.pbs.org
[1;32m[v][0;0m Found subdomain in DNS dumpster: ntb.vpn.pbs.org
[1;32m[v][0;0m Found subdomain in DNS dumpster: mft-v6poc.pbs.org
[1;32m[v][0;0m Found subdomain in DNS dumpster: orion.pbs.org
[1;32m[v][0;0m Found subdomain in DNS dumpster: pbsftp.pbs.org
[1;32m[v][0;0m Found subdomain in DNS dumpster: primary.vpn.pbs.org
[1;32m[v][0;0m Found subdomain in DNS dumpster: pss.pbs.org
[1;32m[v][0;0m Found subdomain in DNS dumpster: scand01.pbs.org
[1;32m[v][0;0m Found subdomain in DNS dumpster: techops.pbs.org
[1;32m[v][0;0m Found subdomain in DNS dumpster: sip.pbs.org
[1;32m[v][0;0m Found subdomain in DNS dumpster: ildbcl3.pbs.org
[1;32m[v][0;0m Found subdomain in DNS dumpster: pbsvideodb.pbs.org
[1;32m[v][0;0m Found subdomain in DNS dumpster: mft.pbs.org
[1;32m[v][0;0m Found subdomain in DNS dumpster: smtp1.pbs.org
[1;32m[v][0;0m Found subdomain in DNS dumpster: smtp2.pbs.org
[1;32m[v][0;0m Found subdomain in DNS dumpster: stageftp.pbs.org
[1;32m[v][0;0m Found subdomain in DNS dumpster: stwebservices.pbs.org
[1;32m[v][0;0m Found subdomain in DNS dumpster: tlcftest.pbs.org
[1;32m[v][0;0m Found subdomain in DNS dumpster: tllinux2.pbs.org
[1;32m[v][0;0m Found subdomain in DNS dumpster: mobile.pbs.org
[1;32m[v][0;0m Found subdomain in DNS dumpster: tlreal.pbs.org
[1;32m[v][0;0m Found subdomain in DNS dumpster: videoindex.pbs.org
[1;32m[v][0;0m Found subdomain in DNS dumpster: producersworkshop.pbs.org
[1;32m[v][0;0m Found subdomain in DNS dumpster: webftp2.pbs.org
[93m[!][0;0m Bruteforcing subdomains
[1;34m[#][0;0m Done enumerating Subdomains

Next, we can take a look at the results from attempting to brute-force common subdomains with Raccoon's built-in wordlist, saved under "subdomain_fuzz.txt." If the website uses wildcards, we're likely to see a false positive for every attempt from the wordlist. Here, we see a limited response, indicating these are likely valid domains.

[1;34m[#][0;0m Reading from list: /usr/local/lib/python3.6/dist-packages/raccoon_src/wordlists/subdomains
	[1;34m[301][0;0m http://beta.pbs.org redirects to https://beta.pbs.org/
	[1;34m[301][0;0m http://WWW.pbs.org redirects to https://www.pbs.org/
	[1;34m[301][0;0m http://blogs.pbs.org redirects to http://www.pbs.org
	[1;32m[200][0;0m http://admin.pbs.org
	[1;32m[200][0;0m http://webdisk.video.pbs.org
	[1;31m[405][0;0m http://sentry.pbs.org
	[1;34m[301][0;0m http://development.pbs.org redirects to http://www.pbs.org/development/
	[1;32m[200][0;0m http://services.pbs.org
	[1;34m[301][0;0m http://kids.pbs.org redirects to http://pbskids.org/
	[1;34m[301][0;0m http://shop.pbs.org redirects to https://shop.pbs.org/
	[1;34m[301][0;0m http://api.pbs.org redirects to http://api.pbs.org/admin/
	[1;32m[200][0;0m http://autodiscover.video.pbs.org
	[1;32m[200][0;0m http://log.pbs.org
	[1;34m[301][0;0m http://chrome.pbs.org redirects to http://jaws.pbs.org/
	[1;34m[301][0;0m http://merlin.pbs.org redirects to http://merlin.pbs.org/django-admin/
	[1;34m[301][0;0m http://login.pbs.org redirects to https://account.pbs.org/
	[1;34m[301][0;0m http://www.shop.pbs.org redirects to https://shop.pbs.org/
	[1;32m[200][0;0m http://autoconfig.video.pbs.org
	[1;34m[301][0;0m http://open.pbs.org redirects to https://open.pbs.org/
	[1;32m[200][0;0m http://dev.pbs.org
	[1;34m[301][0;0m http://search.pbs.org redirects to http://www.pbs.org/search/
	[1;34m[301][0;0m http://cgi.pbs.org redirects to http://www.pbs.org/
	[1;32m[200][0;0m http://ops.pbs.org
	[1;34m[301][0;0m http://qa.pbs.org redirects to https://qa.pbs.org/
	[1;34m[301][0;0m http://account.pbs.org redirects to https://account.pbs.org/
	[1;34m[301][0;0m http://www.video.pbs.org redirects to http://video.pbs.org/
	[1;34m[301][0;0m http://sales.pbs.org redirects to http://www.pbs.org/development/category/corporatesupport/
	[1;34m[301][0;0m http://video.pbs.org redirects to http://www.pbs.org/video/
[1;34m[#][0;0m Reading from list: /usr/local/lib/python3.6/dist-packages/raccoon_src/wordlists/subdomains
	[1;34m[301][0;0m http://beta.pbs.org redirects to https://beta.pbs.org/
	[1;34m[301][0;0m http://api.pbs.org redirects to http://api.pbs.org/admin/
	[1;34m[301][0;0m http://WWW.pbs.org redirects to https://www.pbs.org/
	[1;32m[200][0;0m http://dev.pbs.org
	[1;34m[301][0;0m http://account.pbs.org redirects to https://account.pbs.org/
	[1;34m[301][0;0m http://video.pbs.org redirects to http://www.pbs.org/video/
	[1;32m[200][0;0m http://ops.pbs.org
	[1;32m[200][0;0m http://admin.pbs.org
	[1;34m[301][0;0m http://search.pbs.org redirects to http://www.pbs.org/search/
	[1;31m[405][0;0m http://sentry.pbs.org
	[1;34m[301][0;0m http://cgi.pbs.org redirects to http://www.pbs.org/
	[1;32m[200][0;0m http://services.pbs.org
	[1;32m[200][0;0m http://autoconfig.video.pbs.org
	[1;34m[301][0;0m http://open.pbs.org redirects to https://open.pbs.org/
	[1;34m[301][0;0m http://qa.pbs.org redirects to https://qa.pbs.org/
	[1;32m[200][0;0m http://log.pbs.org
	[1;34m[301][0;0m http://shop.pbs.org redirects to https://shop.pbs.org/
	[1;34m[301][0;0m http://login.pbs.org redirects to https://account.pbs.org/
	[1;34m[301][0;0m http://www.video.pbs.org redirects to http://video.pbs.org/
	[1;34m[301][0;0m http://www.shop.pbs.org redirects to https://shop.pbs.org/
	[1;32m[200][0;0m http://webdisk.video.pbs.org
	[1;34m[301][0;0m http://blogs.pbs.org redirects to http://www.pbs.org
	[1;34m[301][0;0m http://chrome.pbs.org redirects to http://jaws.pbs.org/
	[1;34m[301][0;0m http://development.pbs.org redirects to http://www.pbs.org/development/
	[1;34m[301][0;0m http://sales.pbs.org redirects to http://www.pbs.org/development/category/corporatesupport/
	[1;34m[301][0;0m http://kids.pbs.org redirects to http://pbskids.org/
	[1;34m[301][0;0m http://merlin.pbs.org redirects to http://merlin.pbs.org/django-admin/
	[1;32m[200][0;0m http://autodiscover.video.pbs.org

Next, we can examine the way the website encrypts its traffic by opening the "tls_report.txt" file.

[1;34m[#][0;0m Started collecting TLS data for pbs.org
[1;34m[#][0;0m Done collecting TLS data
[1;32m[v][0;0m Supported Ciphers:
|   TLSv1.0:
|     ciphers:
|       TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA (secp256r1) - A
|       TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA (secp256r1) - A
|       TLS_DHE_RSA_WITH_AES_128_CBC_SHA (dh 2048) - A
|       TLS_DHE_RSA_WITH_AES_256_CBC_SHA (dh 2048) - A
|       TLS_RSA_WITH_AES_128_CBC_SHA (rsa 2048) - A
|       TLS_RSA_WITH_AES_256_CBC_SHA (rsa 2048) - A
|       TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA (dh 2048) - A
|       TLS_RSA_WITH_CAMELLIA_256_CBC_SHA (rsa 2048) - A
|       TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA (dh 2048) - A
|       TLS_RSA_WITH_CAMELLIA_128_CBC_SHA (rsa 2048) - A
|       TLS_RSA_WITH_3DES_EDE_CBC_SHA (rsa 2048) - C - [1;31mWEAK[0;0m
|     compressors:
|       NULL
|     cipher preference: server
|     warnings:
[1;31m|       64-bit block cipher 3DES vulnerable to SWEET32 attack[0;0m
|   TLSv1.1:
|     ciphers:
|       TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA (secp256r1) - A
|       TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA (secp256r1) - A
|       TLS_DHE_RSA_WITH_AES_128_CBC_SHA (dh 2048) - A
|       TLS_DHE_RSA_WITH_AES_256_CBC_SHA (dh 2048) - A
|       TLS_RSA_WITH_AES_128_CBC_SHA (rsa 2048) - A
|       TLS_RSA_WITH_AES_256_CBC_SHA (rsa 2048) - A
|       TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA (dh 2048) - A
|       TLS_RSA_WITH_CAMELLIA_256_CBC_SHA (rsa 2048) - A
|       TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA (dh 2048) - A
|       TLS_RSA_WITH_CAMELLIA_128_CBC_SHA (rsa 2048) - A
|       TLS_RSA_WITH_3DES_EDE_CBC_SHA (rsa 2048) - C - [1;31mWEAK[0;0m
|     compressors:
|       NULL
|     cipher preference: server
|     warnings:
[1;31m|       64-bit block cipher 3DES vulnerable to SWEET32 attack[0;0m
|   TLSv1.2:
|     ciphers:
|       TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 (secp256r1) - A
|       TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (secp256r1) - A
|       TLS_DHE_RSA_WITH_AES_128_GCM_SHA256 (dh 2048) - A
|       TLS_DHE_RSA_WITH_AES_256_GCM_SHA384 (dh 2048) - A
|       TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 (secp256r1) - A
|       TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA (secp256r1) - A
|       TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 (secp256r1) - A
|       TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA (secp256r1) - A
|       TLS_DHE_RSA_WITH_AES_128_CBC_SHA256 (dh 2048) - A
|       TLS_DHE_RSA_WITH_AES_128_CBC_SHA (dh 2048) - A
|       TLS_DHE_RSA_WITH_AES_256_CBC_SHA256 (dh 2048) - A
|       TLS_DHE_RSA_WITH_AES_256_CBC_SHA (dh 2048) - A
|       TLS_RSA_WITH_AES_128_GCM_SHA256 (rsa 2048) - A
|       TLS_RSA_WITH_AES_256_GCM_SHA384 (rsa 2048) - A
|       TLS_RSA_WITH_AES_128_CBC_SHA256 (rsa 2048) - A
|       TLS_RSA_WITH_AES_256_CBC_SHA256 (rsa 2048) - A
|       TLS_RSA_WITH_AES_128_CBC_SHA (rsa 2048) - A
|       TLS_RSA_WITH_AES_256_CBC_SHA (rsa 2048) - A
|       TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA (dh 2048) - A
|       TLS_RSA_WITH_CAMELLIA_256_CBC_SHA (rsa 2048) - A
|       TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA (dh 2048) - A
|       TLS_RSA_WITH_CAMELLIA_128_CBC_SHA (rsa 2048) - A
|       TLS_RSA_WITH_3DES_EDE_CBC_SHA (rsa 2048) - C - [1;31mWEAK[0;0m
|     compressors:
|       NULL
|     cipher preference: server
|     warnings:
[1;31m|       64-bit block cipher 3DES vulnerable to SWEET32 attack[0;0m
|_  least strength: C

--------------------------------------------------------------------------------

SNI Data:

TLSv1: True

TLSv1.1: True

TLSv1.2: True

SANs:
---------------
 ops.pbs.org
sentry.pbs.org
www-cache.pbs.org
jaws.pbs.org
video.pbs.org
image.pbs.org
player.pbs.org
login.pbs.org
pbs.org
admin.pbs.org
teacherline.pbs.org
git.pbs.org
dipsy-tc.pbs.org
koth-qa.svp.pbs.org
heart.ops.pbs.org
account.pbs.org
weta-qa.svp.pbs.org
wnet.video-qa.pbs.org
www.pbs.org
wnet.video-staging.pbs.org
docs.pbs.org
projects.pbs.org
whut-qa.svp.pbs.org
ga.video.cdn.pbs.org
kids.pbs.org
urs.pbs.org
---------------

Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number:
            03:f2:63:93:70:71:b1:fd:40:cc:f7:e9:dc:c3:b2:30:11:97
    Signature Algorithm: sha256WithRSAEncryption
        Issuer: C = US, O = Let's Encrypt, CN = Let's Encrypt Authority X3
        Validity
            Not Before: Jul  5 08:31:20 2018 GMT
            Not After : Oct  3 08:31:20 2018 GMT
        Subject: CN = www.pbs.org
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
                Public-Key: (2048 bit)
                Modulus:
                    00:b4:f6:7a:b6:8e:5c:da:54:50:bd:e5:d2:d7:de:
                    b8:a0:fb:4f:c1:61:71:85:b0:1d:8c:5b:f8:51:59:
                    4d:da:62:c3:bc:48:47:49:6d:72:f2:11:eb:cb:f3:
                    6a:de:fe:fe:e4:59:56:e2:1e:07:91:17:33:b4:38:
                    11:b0:47:9d:32:a0:f1:bf:2d:5e:49:b6:77:16:e2:
                    17:78:6e:87:7a:3a:8d:d3:d7:b8:0b:34:5a:1f:28:
                    27:f9:66:f3:11:0f:b1:c1:24:d1:57:f2:28:e5:76:
                    c6:cb:fe:87:b3:45:45:ee:e5:28:56:d1:52:80:d2:
                    98:3b:4a:3e:ec:bc:ab:4b:9c:cc:e7:9d:9b:73:19:
                    92:4c:16:b1:18:99:64:18:b1:22:eb:fa:15:09:aa:
                    7a:6d:d1:43:c3:fe:50:e8:d5:af:a0:09:57:01:08:
                    4c:d2:3d:ee:75:a1:ee:12:d2:72:c9:51:40:26:cd:
                    25:78:f6:eb:c9:6a:7f:da:9f:e5:a8:09:a5:3a:a8:
                    9e:2d:57:d5:56:9d:80:c7:e4:91:82:69:c2:4a:de:
                    58:2c:e8:a0:6e:3f:24:a5:74:41:94:a2:b1:47:13:
                    16:0e:40:02:30:7f:e7:23:1d:60:f2:c2:6f:8b:18:
                    b2:e0:d5:68:fe:e1:92:3a:24:1e:bb:94:59:40:f3:
                    6c:cb
                Exponent: 65537 (0x10001)
        X509v3 extensions:
            X509v3 Key Usage: critical
                Digital Signature, Key Encipherment
            X509v3 Extended Key Usage:
                TLS Web Server Authentication, TLS Web Client Authentication
            X509v3 Basic Constraints: critical
                CA:FALSE
            X509v3 Subject Key Identifier:
                76:AD:A5:A1:7C:26:43:2E:5B:91:7F:42:72:21:FE:3C:FA:4F:48:3A
            X509v3 Authority Key Identifier:
                keyid:A8:4A:6A:63:04:7D:DD:BA:E6:D1:39:B7:A6:45:65:EF:F3:A8:EC:A1

            Authority Information Access:
                OCSP - URI:http://ocsp.int-x3.letsencrypt.org
                CA Issuers - URI:http://cert.int-x3.letsencrypt.org/

            X509v3 Certificate Policies:
                Policy: 2.23.140.1.2.1
                Policy: 1.3.6.1.4.1.44947.1.1.1
                  CPS: http://cps.letsencrypt.org
                  User Notice:
                    Explicit Text: This Certificate may only be relied upon by Relying Parties and only in accordance with the Certificate Policy found at https://letsencrypt.org/repository/

            CT Precertificate SCTs:
                Signed Certificate Timestamp:
                    Version   : v1 (0x0)
                    Log ID    : DB:74:AF:EE:CB:29:EC:B1:FE:CA:3E:71:6D:2C:E5:B9:
                                AA:BB:36:F7:84:71:83:C7:5D:9D:4F:37:B6:1F:BF:64
                    Timestamp : Jul  5 09:31:20.892 2018 GMT
                    Extensions: none
                    Signature : ecdsa-with-SHA256
                                30:46:02:21:00:B9:61:FB:EC:BB:91:DA:DD:F3:F0:48:
                                D4:61:B8:CB:09:A0:7F:20:6C:B7:1F:13:7B:EE:11:5C:
                                4F:CF:0E:6B:63:02:21:00:EC:C2:21:16:6E:90:E0:DA:
                                FC:02:9A:FC:5A:3A:D0:92:38:8B:83:39:83:1D:3B:A9:
                                FE:58:06:2C:4D:BF:74:3B
                Signed Certificate Timestamp:
                    Version   : v1 (0x0)
                    Log ID    : 29:3C:51:96:54:C8:39:65:BA:AA:50:FC:58:07:D4:B7:
                                6F:BF:58:7A:29:72:DC:A4:C3:0C:F4:E5:45:47:F4:78
                    Timestamp : Jul  5 09:31:20.909 2018 GMT
                    Extensions: none
                    Signature : ecdsa-with-SHA256
                                30:46:02:21:00:A0:6B:4C:3D:0C:E3:35:B3:71:E1:E5:
                                F2:70:89:7D:CD:A4:BA:F7:16:12:48:C5:A9:E7:DA:3A:
                                EB:B3:E2:BB:46:02:21:00:95:29:A4:22:F5:A3:B0:66:
                                C7:1A:71:1C:F9:95:6A:69:85:56:8B:08:E1:C8:3C:E7:
                                3B:23:1D:A2:D4:5B:F3:0C
    Signature Algorithm: sha256WithRSAEncryption
         4f:ea:24:2f:7f:a9:a9:30:98:c4:61:b9:a2:eb:d3:93:87:43:
         9d:b8:63:0a:2b:5a:cd:a4:cc:48:aa:c1:8d:35:2c:7c:8a:32:
         9f:0b:f6:6f:d3:40:ab:d6:ae:df:d2:11:d5:ee:14:4f:43:64:
         9d:f6:dd:77:7f:cb:39:a4:0a:db:d6:73:a5:c1:05:4c:d2:ac:
         93:ea:61:ed:ac:12:19:2d:a2:20:0b:c9:8e:dc:9f:cb:f4:c8:
         fd:d6:66:be:44:c4:16:ff:c8:c9:e0:0c:d6:8d:e2:13:58:24:
         9b:c8:51:c7:a0:33:41:3b:32:3d:4e:29:08:84:6e:42:d5:63:
         56:ba:a7:35:89:8c:2c:6c:5c:bf:8d:75:38:3b:f4:1a:cc:3d:
         2d:b8:d9:07:b5:39:78:06:4e:d3:c2:1b:45:15:e4:ff:3d:50:
         2e:74:0d:c4:df:2c:19:24:04:96:21:46:98:61:47:9d:eb:a1:
         55:a7:c5:72:41:0b:40:f3:80:2e:17:98:27:b6:5a:58:cf:ae:
         e2:d5:95:2f:b6:a9:15:7b:51:48:33:e4:a3:f2:60:3a:80:eb:
         62:08:5c:08:c7:2d:9c:a2:d8:e9:3c:e4:d6:9a:f9:ae:c1:1a:
         d1:d4:ec:fe:1f:8f:2e:24:cc:4e:76:26:96:22:28:9c:e5:a0:
         39:73:15:de
--------------------------------------------------------------------------------

non-SNI Data:

TLSv1: True

TLSv1.1: True

TLSv1.2: True

SANs:
---------------
 ops.pbs.org
sentry.pbs.org
www-cache.pbs.org
jaws.pbs.org
video.pbs.org
image.pbs.org
player.pbs.org
login.pbs.org
pbs.org
admin.pbs.org
teacherline.pbs.org
git.pbs.org
dipsy-tc.pbs.org
koth-qa.svp.pbs.org
heart.ops.pbs.org
account.pbs.org
weta-qa.svp.pbs.org
wnet.video-qa.pbs.org
www.pbs.org
wnet.video-staging.pbs.org
docs.pbs.org
projects.pbs.org
whut-qa.svp.pbs.org
ga.video.cdn.pbs.org
kids.pbs.org
urs.pbs.org
---------------

Same as SNI Certificate
[1;34m[#][0;0m Started collecting TLS data for pbs.org
[1;34m[#][0;0m Done collecting TLS data
[1;32m[v][0;0m Supported Ciphers:
|   TLSv1.0:
|     ciphers:
|       TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA (secp256r1) - A
|       TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA (secp256r1) - A
|       TLS_DHE_RSA_WITH_AES_128_CBC_SHA (dh 2048) - A
|       TLS_DHE_RSA_WITH_AES_256_CBC_SHA (dh 2048) - A
|       TLS_RSA_WITH_AES_128_CBC_SHA (rsa 2048) - A
|       TLS_RSA_WITH_AES_256_CBC_SHA (rsa 2048) - A
|       TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA (dh 2048) - A
|       TLS_RSA_WITH_CAMELLIA_256_CBC_SHA (rsa 2048) - A
|       TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA (dh 2048) - A
|       TLS_RSA_WITH_CAMELLIA_128_CBC_SHA (rsa 2048) - A
|       TLS_RSA_WITH_3DES_EDE_CBC_SHA (rsa 2048) - C - [1;31mWEAK[0;0m
|     compressors:
|       NULL
|     cipher preference: server
|     warnings:
[1;31m|       64-bit block cipher 3DES vulnerable to SWEET32 attack[0;0m
|   TLSv1.1:
|     ciphers:
|       TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA (secp256r1) - A
|       TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA (secp256r1) - A
|       TLS_DHE_RSA_WITH_AES_128_CBC_SHA (dh 2048) - A
|       TLS_DHE_RSA_WITH_AES_256_CBC_SHA (dh 2048) - A
|       TLS_RSA_WITH_AES_128_CBC_SHA (rsa 2048) - A
|       TLS_RSA_WITH_AES_256_CBC_SHA (rsa 2048) - A
|       TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA (dh 2048) - A
|       TLS_RSA_WITH_CAMELLIA_256_CBC_SHA (rsa 2048) - A
|       TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA (dh 2048) - A
|       TLS_RSA_WITH_CAMELLIA_128_CBC_SHA (rsa 2048) - A
|       TLS_RSA_WITH_3DES_EDE_CBC_SHA (rsa 2048) - C - [1;31mWEAK[0;0m
|     compressors:
|       NULL
|     cipher preference: server
|     warnings:
[1;31m|       64-bit block cipher 3DES vulnerable to SWEET32 attack[0;0m
|   TLSv1.2:
|     ciphers:
|       TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 (secp256r1) - A
|       TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (secp256r1) - A
|       TLS_DHE_RSA_WITH_AES_128_GCM_SHA256 (dh 2048) - A
|       TLS_DHE_RSA_WITH_AES_256_GCM_SHA384 (dh 2048) - A
|       TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 (secp256r1) - A
|       TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA (secp256r1) - A
|       TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 (secp256r1) - A
|       TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA (secp256r1) - A
|       TLS_DHE_RSA_WITH_AES_128_CBC_SHA256 (dh 2048) - A
|       TLS_DHE_RSA_WITH_AES_128_CBC_SHA (dh 2048) - A
|       TLS_DHE_RSA_WITH_AES_256_CBC_SHA256 (dh 2048) - A
|       TLS_DHE_RSA_WITH_AES_256_CBC_SHA (dh 2048) - A
|       TLS_RSA_WITH_AES_128_GCM_SHA256 (rsa 2048) - A
|       TLS_RSA_WITH_AES_256_GCM_SHA384 (rsa 2048) - A
|       TLS_RSA_WITH_AES_128_CBC_SHA256 (rsa 2048) - A
|       TLS_RSA_WITH_AES_256_CBC_SHA256 (rsa 2048) - A
|       TLS_RSA_WITH_AES_128_CBC_SHA (rsa 2048) - A
|       TLS_RSA_WITH_AES_256_CBC_SHA (rsa 2048) - A
|       TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA (dh 2048) - A
|       TLS_RSA_WITH_CAMELLIA_256_CBC_SHA (rsa 2048) - A
|       TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA (dh 2048) - A
|       TLS_RSA_WITH_CAMELLIA_128_CBC_SHA (rsa 2048) - A
|       TLS_RSA_WITH_3DES_EDE_CBC_SHA (rsa 2048) - C - [1;31mWEAK[0;0m
|     compressors:
|       NULL
|     cipher preference: server
|     warnings:
[1;31m|       64-bit block cipher 3DES vulnerable to SWEET32 attack[0;0m
|_  least strength: C

--------------------------------------------------------------------------------

SNI Data:

TLSv1: True

TLSv1.1: True

TLSv1.2: True

SANs:
---------------
 git.pbs.org
login.pbs.org
projects.pbs.org
ga.video.cdn.pbs.org
dipsy-tc.pbs.org
whut-qa.svp.pbs.org
heart.ops.pbs.org
player.pbs.org
jaws.pbs.org
kids.pbs.org
account.pbs.org
teacherline.pbs.org
www-cache.pbs.org
image.pbs.org
admin.pbs.org
koth-qa.svp.pbs.org
urs.pbs.org
ops.pbs.org
wnet.video-staging.pbs.org
weta-qa.svp.pbs.org
sentry.pbs.org
video.pbs.org
wnet.video-qa.pbs.org
www.pbs.org
docs.pbs.org
pbs.org
---------------

Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number:
            03:f2:63:93:70:71:b1:fd:40:cc:f7:e9:dc:c3:b2:30:11:97
    Signature Algorithm: sha256WithRSAEncryption
        Issuer: C = US, O = Let's Encrypt, CN = Let's Encrypt Authority X3
        Validity
            Not Before: Jul  5 08:31:20 2018 GMT
            Not After : Oct  3 08:31:20 2018 GMT
        Subject: CN = www.pbs.org
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
                Public-Key: (2048 bit)
                Modulus:
                    00:b4:f6:7a:b6:8e:5c:da:54:50:bd:e5:d2:d7:de:
                    b8:a0:fb:4f:c1:61:71:85:b0:1d:8c:5b:f8:51:59:
                    4d:da:62:c3:bc:48:47:49:6d:72:f2:11:eb:cb:f3:
                    6a:de:fe:fe:e4:59:56:e2:1e:07:91:17:33:b4:38:
                    11:b0:47:9d:32:a0:f1:bf:2d:5e:49:b6:77:16:e2:
                    17:78:6e:87:7a:3a:8d:d3:d7:b8:0b:34:5a:1f:28:
                    27:f9:66:f3:11:0f:b1:c1:24:d1:57:f2:28:e5:76:
                    c6:cb:fe:87:b3:45:45:ee:e5:28:56:d1:52:80:d2:
                    98:3b:4a:3e:ec:bc:ab:4b:9c:cc:e7:9d:9b:73:19:
                    92:4c:16:b1:18:99:64:18:b1:22:eb:fa:15:09:aa:
                    7a:6d:d1:43:c3:fe:50:e8:d5:af:a0:09:57:01:08:
                    4c:d2:3d:ee:75:a1:ee:12:d2:72:c9:51:40:26:cd:
                    25:78:f6:eb:c9:6a:7f:da:9f:e5:a8:09:a5:3a:a8:
                    9e:2d:57:d5:56:9d:80:c7:e4:91:82:69:c2:4a:de:
                    58:2c:e8:a0:6e:3f:24:a5:74:41:94:a2:b1:47:13:
                    16:0e:40:02:30:7f:e7:23:1d:60:f2:c2:6f:8b:18:
                    b2:e0:d5:68:fe:e1:92:3a:24:1e:bb:94:59:40:f3:
                    6c:cb
                Exponent: 65537 (0x10001)
        X509v3 extensions:
            X509v3 Key Usage: critical
                Digital Signature, Key Encipherment
            X509v3 Extended Key Usage:
                TLS Web Server Authentication, TLS Web Client Authentication
            X509v3 Basic Constraints: critical
                CA:FALSE
            X509v3 Subject Key Identifier:
                76:AD:A5:A1:7C:26:43:2E:5B:91:7F:42:72:21:FE:3C:FA:4F:48:3A
            X509v3 Authority Key Identifier:
                keyid:A8:4A:6A:63:04:7D:DD:BA:E6:D1:39:B7:A6:45:65:EF:F3:A8:EC:A1

            Authority Information Access:
                OCSP - URI:http://ocsp.int-x3.letsencrypt.org
                CA Issuers - URI:http://cert.int-x3.letsencrypt.org/

            X509v3 Certificate Policies:
                Policy: 2.23.140.1.2.1
                Policy: 1.3.6.1.4.1.44947.1.1.1
                  CPS: http://cps.letsencrypt.org
                  User Notice:
                    Explicit Text: This Certificate may only be relied upon by Relying Parties and only in accordance with the Certificate Policy found at https://letsencrypt.org/repository/

            CT Precertificate SCTs:
                Signed Certificate Timestamp:
                    Version   : v1 (0x0)
                    Log ID    : DB:74:AF:EE:CB:29:EC:B1:FE:CA:3E:71:6D:2C:E5:B9:
                                AA:BB:36:F7:84:71:83:C7:5D:9D:4F:37:B6:1F:BF:64
                    Timestamp : Jul  5 09:31:20.892 2018 GMT
                    Extensions: none
                    Signature : ecdsa-with-SHA256
                                30:46:02:21:00:B9:61:FB:EC:BB:91:DA:DD:F3:F0:48:
                                D4:61:B8:CB:09:A0:7F:20:6C:B7:1F:13:7B:EE:11:5C:
                                4F:CF:0E:6B:63:02:21:00:EC:C2:21:16:6E:90:E0:DA:
                                FC:02:9A:FC:5A:3A:D0:92:38:8B:83:39:83:1D:3B:A9:
                                FE:58:06:2C:4D:BF:74:3B
                Signed Certificate Timestamp:
                    Version   : v1 (0x0)
                    Log ID    : 29:3C:51:96:54:C8:39:65:BA:AA:50:FC:58:07:D4:B7:
                                6F:BF:58:7A:29:72:DC:A4:C3:0C:F4:E5:45:47:F4:78
                    Timestamp : Jul  5 09:31:20.909 2018 GMT
                    Extensions: none
                    Signature : ecdsa-with-SHA256
                                30:46:02:21:00:A0:6B:4C:3D:0C:E3:35:B3:71:E1:E5:
                                F2:70:89:7D:CD:A4:BA:F7:16:12:48:C5:A9:E7:DA:3A:
                                EB:B3:E2:BB:46:02:21:00:95:29:A4:22:F5:A3:B0:66:
                                C7:1A:71:1C:F9:95:6A:69:85:56:8B:08:E1:C8:3C:E7:
                                3B:23:1D:A2:D4:5B:F3:0C
    Signature Algorithm: sha256WithRSAEncryption
         4f:ea:24:2f:7f:a9:a9:30:98:c4:61:b9:a2:eb:d3:93:87:43:
         9d:b8:63:0a:2b:5a:cd:a4:cc:48:aa:c1:8d:35:2c:7c:8a:32:
         9f:0b:f6:6f:d3:40:ab:d6:ae:df:d2:11:d5:ee:14:4f:43:64:
         9d:f6:dd:77:7f:cb:39:a4:0a:db:d6:73:a5:c1:05:4c:d2:ac:
         93:ea:61:ed:ac:12:19:2d:a2:20:0b:c9:8e:dc:9f:cb:f4:c8:
         fd:d6:66:be:44:c4:16:ff:c8:c9:e0:0c:d6:8d:e2:13:58:24:
         9b:c8:51:c7:a0:33:41:3b:32:3d:4e:29:08:84:6e:42:d5:63:
         56:ba:a7:35:89:8c:2c:6c:5c:bf:8d:75:38:3b:f4:1a:cc:3d:
         2d:b8:d9:07:b5:39:78:06:4e:d3:c2:1b:45:15:e4:ff:3d:50:
         2e:74:0d:c4:df:2c:19:24:04:96:21:46:98:61:47:9d:eb:a1:
         55:a7:c5:72:41:0b:40:f3:80:2e:17:98:27:b6:5a:58:cf:ae:
         e2:d5:95:2f:b6:a9:15:7b:51:48:33:e4:a3:f2:60:3a:80:eb:
         62:08:5c:08:c7:2d:9c:a2:d8:e9:3c:e4:d6:9a:f9:ae:c1:1a:
         d1:d4:ec:fe:1f:8f:2e:24:cc:4e:76:26:96:22:28:9c:e5:a0:
         39:73:15:de
--------------------------------------------------------------------------------

non-SNI Data:

TLSv1: True

TLSv1.1: True

TLSv1.2: True

SANs:
---------------
 git.pbs.org
login.pbs.org
projects.pbs.org
ga.video.cdn.pbs.org
dipsy-tc.pbs.org
whut-qa.svp.pbs.org
heart.ops.pbs.org
player.pbs.org
jaws.pbs.org
kids.pbs.org
account.pbs.org
teacherline.pbs.org
www-cache.pbs.org
image.pbs.org
admin.pbs.org
koth-qa.svp.pbs.org
urs.pbs.org
ops.pbs.org
wnet.video-staging.pbs.org
weta-qa.svp.pbs.org
sentry.pbs.org
video.pbs.org
wnet.video-qa.pbs.org
www.pbs.org
docs.pbs.org
pbs.org
---------------

Same as SNI Certificate

This is a lot of information! Most importantly, we have gotten a warning about a high severity vulnerability in the transportation layer security of the website. In the report, we see the following warning:

64-bit block cipher 3DES vulnerable to SWEET32 attack

This vulnerability, known as the "sweet 32" attack or CVE-2016-2183, could allow an attacker to intercept and modify traffic between a visitor to the website and the server. We reported this vulnerability to pbs.org during the course of making this article.

Next, we can take a look at the dns_records.txt file to learn more information about IP addresses.

[1;32m[v][0;0m Writing DNS query results
A

	54.225.198.196
	54.225.206.152
MX

	10 mxgw2.pbs.org.
	20 mxgw1.pbs.org.
NS

	ns1.p10.dynect.net.
	ns2.p10.dynect.net.
	ns4.p10.dynect.net.
	ns3.p10.dynect.net.
SOA

	ns1.p10.dynect.net. dnssupport.verisign-grs.com. 1534492239 3600 600 604800 1800
TXT

	"HOLciSiucyx9z9GJ0guhSicbiLe0Rm3WCSDQVy0AHuanMAOgr82WpdSHdFOw0HqcSaW6kuo5DAegSm0PC1ALJg=="
	"detectify-verification=1583bf00b85b6570195c4ec81a2625ae"
	"MS=ms58428140"
	"v=spf1 include:stspg-customer.com a:listserv.pbs.org a:smtp1.pbs.org a:smtp2.pbs.org a:mxout.pbs.org a:servers.mcsv.net include:k12msg.com ip4:184.173.19.244/30 ~all"
	"status-page-domain-verification=g90gln3s127q"
	"facebook-domain-verification=hxcquifih7vsf9z0u39e2t2ks317j6"
[1;32m[v][0;0m Writing DNS query results
A

	54.225.206.152
	54.225.198.196
MX

	20 mxgw1.pbs.org.
	10 mxgw2.pbs.org.
NS

	ns3.p10.dynect.net.
	ns4.p10.dynect.net.
	ns1.p10.dynect.net.
	ns2.p10.dynect.net.
SOA

	ns1.p10.dynect.net. dnssupport.verisign-grs.com. 1534979967 3600 600 604800 1800
TXT

	"HOLciSiucyx9z9GJ0guhSicbiLe0Rm3WCSDQVy0AHuanMAOgr82WpdSHdFOw0HqcSaW6kuo5DAegSm0PC1ALJg=="
	"detectify-verification=1583bf00b85b6570195c4ec81a2625ae"
	"v=spf1 include:stspg-customer.com a:listserv.pbs.org a:smtp1.pbs.org a:smtp2.pbs.org a:mxout.pbs.org a:servers.mcsv.net include:k12msg.com ip4:184.173.19.244/30 ~all"
	"facebook-domain-verification=hxcquifih7vsf9z0u39e2t2ks317j6"
	"status-page-domain-verification=g90gln3s127q"
	"MS=ms58428140"

This gives us information about the email server the domain uses, the IP addresses involved in serving users, and other important domains like "dynect.net" which could lead us to information about hosting and infrastructure providers.

Next, we can take a look at the software powering the website inside the "web_scan" report. We also get information about email addresses discovered, fuzzable URLs, and HTML forms along with form methods discovered. This could help us in automating an attack against the website by studying the underlying software.

[1;34m[#][0;0m Trying to collect pbs.org web application data
[1;32m[v][0;0m CMS detected: target is using [1;32mDjango Framework[0;0m
[1;32m[v][0;0m Found robots.txt
[1;32m[v][0;0m Web server detected: [1;32mnginx[0;0m
[93m[!][0;0m 28 fuzzable URLs discovered
	http://to.pbs.org/2mFOyNc?utm_source=carousel_bundle_3&utm_medium=related_link_3&utm_campaign=pbs_homepage
	http://www.pbs.org/value/home/?utm_source=carousel_bundle_3&utm_medium=premiere_link&utm_campaign=pbs_homepage
	https://www.twitter.com/intent/tweet?url=https://www.pbs.org/video/our-man-in-tehran-part-one-p9eu3w&text=Check%20out%20this%20video%20from%20@PBS:%20FRONTLINE,%20Our%20Man%20in%20Tehran%20%28Part%20One%29
	https://shop.pbs.org/?utm_source=PBS&utm_medium=Link&utm_campaign=pbs_home_footer_shoplink
	https://www.twitter.com/intent/tweet?url=https://www.pbs.org/video/the-final-7d9s6z&text=Check%20out%20this%20video%20from%20@PBS:%20The%20Great%20British%20Baking%20Show,%20The%20Final
	https://shop.pbs.org/?utm_source=PBS&utm_medium=Link&utm_campaign=pbs_home_shopbuttontopnav
	http://to.pbs.org/2m7l6fD?utm_source=carousel_bundle_3&utm_medium=related_link_2&utm_campaign=pbs_homepage
	https://account.pbs.org/oauth2/social/login/google-oauth2/?scope=account+vppa&redirect_uri=https://www.pbs.org/login/&response_type=code&client_id=LXLFIaXOVDsfS850bnvsxdcLKlvLStjRBoBWbFRE
	https://shop.pbs.org/digital-downloads?utm_source=PBS&utm_medium=Link&utm_campaign=pbs_home_footer_digital
	https://shop.pbs.org/drama-and-arts-best-sellers?utm_source=PBS&utm_medium=Link&utm_campaign=pbs_home-show_module_20OffDramaArts_AUG18
	https://www.facebook.com/sharer/sharer.php?u=https://www.pbs.org/video/trailer-g7chzs&t=The%20Miniaturist,%20Trailer
	https://www.twitter.com/intent/tweet?url=https://www.pbs.org/video/shields-and-brooks-1534525761&text=Check%20out%20this%20video%20from%20@PBS:%20PBS%20NewsHour,%20Shields%20and%20Brooks%20on%20%E2%80%98reality%20show%E2%80%99%20rules
	https://www.facebook.com/sharer/sharer.php?u=https://www.pbs.org/video/our-man-in-tehran-part-two-7elm5x&t=FRONTLINE,%20Our%20Man%20in%20Tehran%20%28Part%20Two%29
	https://www.facebook.com/sharer/sharer.php?u=https://www.pbs.org/video/our-man-in-tehran-part-one-p9eu3w&t=FRONTLINE,%20Our%20Man%20in%20Tehran%20%28Part%20One%29
	https://www.twitter.com/intent/tweet?url=https://www.pbs.org/video/our-man-in-tehran-part-two-7elm5x&text=Check%20out%20this%20video%20from%20@PBS:%20FRONTLINE,%20Our%20Man%20in%20Tehran%20%28Part%20Two%29
	https://account.pbs.org/oauth2/register/?next=%2Foauth2%2Fauthorize%2F%3Fscope%3Daccount%2Bvppa%26redirect_uri%3Dhttps%3A%2F%2Fwww.pbs.org%2Flogin%2F%26response_type%3Dcode%26client_id%3DLXLFIaXOVDsfS850bnvsxdcLKlvLStjRBoBWbFRE%26confirmed%3D1
	https://account.pbs.org/oauth2/social/login/facebook/?scope=account+vppa&redirect_uri=https://www.pbs.org/login/&response_type=code&client_id=LXLFIaXOVDsfS850bnvsxdcLKlvLStjRBoBWbFRE
	http://www.pbs.org/value/home/?utm_source=carousel_bundle_3&utm_medium=related_link_1&utm_campaign=pbs_homepage
	http://www.pbs.org/value/home/?utm_source=carousel_bundle_3&utm_medium=headline&utm_campaign=pbs_homepage
	https://www.facebook.com/sharer/sharer.php?u=https://www.pbs.org/video/shields-and-brooks-1534525761&t=PBS%20NewsHour,%20Shields%20and%20Brooks%20on%20%E2%80%98reality%20show%E2%80%99%20rules
	http://www.pbs.org/value/home/?utm_source=carousel_bundle_3&utm_medium=image&utm_campaign=pbs_homepage
	https://account.pbs.org/oauth2/authorize/?scope=account+vppa&redirect_uri=https://www.pbs.org/login/&response_type=code&client_id=LXLFIaXOVDsfS850bnvsxdcLKlvLStjRBoBWbFRE
	https://shop.pbs.org/?utm_source=PBS&utm_medium=Link&utm_campaign=pbs_home_shopbuttontopnav_dropdown_shophomepage
	https://www.facebook.com/sharer/sharer.php?u=https://www.pbs.org/video/the-final-7d9s6z&t=The%20Great%20British%20Baking%20Show,%20The%20Final
	https://www.twitter.com/intent/tweet?url=https://www.pbs.org/video/trailer-g7chzs&text=Check%20out%20this%20video%20from%20@PBS:%20The%20Miniaturist,%20Trailer
	http://www.pbs.org/value/home/?utm_source=carousel_bundle_3&utm_medium=short_description&utm_campaign=pbs_homepage
	https://shop.pbs.org/digital-downloads?utm_source=PBS&utm_medium=Link&utm_campaign=pbs_home_shopbuttontopnav_dropdown_digital
	https://plus.google.com/share?url=https://www.pbs.org/video/trailer-g7chzs
[93m[!][0;0m 1 email addresses discovered
	?subject=Check out this video from PBS: Trailer&body=I thought you might like this: https://www.pbs.org/video/trailer-g7chzs
[93m[!][0;0m 2 HTML forms discovered
	Form details: ID: None, Class: ['dropdown', 'nav-item--search__form', 'an-18_2'], Method: None, action: /search/
	Form details: ID: None, Class: ['dropdown', 'nav-item--search__form', 'an-18_2'], Method: None, action: /search/
[1;34m[#][0;0m Trying to collect pbs.org web application data
[1;32m[v][0;0m CMS detected: target is using [1;32mDjango Framework[0;0m
[1;32m[v][0;0m Found robots.txt
[1;32m[v][0;0m Web server detected: [1;32mnginx[0;0m
[93m[!][0;0m 28 fuzzable URLs discovered
	http://to.pbs.org/2mFOyNc?utm_source=carousel_bundle_3&utm_medium=related_link_3&utm_campaign=pbs_homepage
	https://www.facebook.com/sharer/sharer.php?u=https://www.pbs.org/video/our-man-in-tehran-part-one-p9eu3w&t=FRONTLINE,%20Our%20Man%20in%20Tehran%20%28Part%20One%29
	https://plus.google.com/share?url=https://www.pbs.org/video/trailer-g7chzs
	https://shop.pbs.org/digital-downloads?utm_source=PBS&utm_medium=Link&utm_campaign=pbs_home_shopbuttontopnav_dropdown_digital
	http://to.pbs.org/2m7l6fD?utm_source=carousel_bundle_3&utm_medium=related_link_2&utm_campaign=pbs_homepage
	https://www.twitter.com/intent/tweet?url=https://www.pbs.org/video/first-look-wd8rsm&text=Check%20out%20this%20video%20from%20@PBS:%20Poldark,%20First%20Look
	https://shop.pbs.org/digital-downloads?utm_source=PBS&utm_medium=Link&utm_campaign=pbs_home_footer_digital
	https://shop.pbs.org/?utm_source=PBS&utm_medium=Link&utm_campaign=pbs_home_shopbuttontopnav
	https://www.twitter.com/intent/tweet?url=https://www.pbs.org/video/shields-and-brooks-1534525761&text=Check%20out%20this%20video%20from%20@PBS:%20PBS%20NewsHour,%20Shields%20and%20Brooks%20on%20%E2%80%98reality%20show%E2%80%99%20rules
	https://www.facebook.com/sharer/sharer.php?u=https://www.pbs.org/video/shields-and-brooks-1534525761&t=PBS%20NewsHour,%20Shields%20and%20Brooks%20on%20%E2%80%98reality%20show%E2%80%99%20rules
	https://account.pbs.org/oauth2/authorize/?scope=account+vppa&redirect_uri=https://www.pbs.org/login/&response_type=code&client_id=LXLFIaXOVDsfS850bnvsxdcLKlvLStjRBoBWbFRE
	http://www.pbs.org/value/home/?utm_source=carousel_bundle_3&utm_medium=short_description&utm_campaign=pbs_homepage
	https://account.pbs.org/oauth2/social/login/facebook/?scope=account+vppa&redirect_uri=https://www.pbs.org/login/&response_type=code&client_id=LXLFIaXOVDsfS850bnvsxdcLKlvLStjRBoBWbFRE
	http://www.pbs.org/value/home/?utm_source=carousel_bundle_3&utm_medium=headline&utm_campaign=pbs_homepage
	https://www.facebook.com/sharer/sharer.php?u=https://www.pbs.org/video/first-look-wd8rsm&t=Poldark,%20First%20Look
	https://www.twitter.com/intent/tweet?url=https://www.pbs.org/video/trailer-g7chzs&text=Check%20out%20this%20video%20from%20@PBS:%20The%20Miniaturist,%20Trailer
	https://shop.pbs.org/pbs-best-sellers?utm_source=PBS&utm_medium=Link&utm_campaign=pbs_home-show_module_15Off6920Off9925Off150_AUG18
	http://www.pbs.org/value/home/?utm_source=carousel_bundle_3&utm_medium=premiere_link&utm_campaign=pbs_homepage
	https://shop.pbs.org/?utm_source=PBS&utm_medium=Link&utm_campaign=pbs_home_shopbuttontopnav_dropdown_shophomepage
	https://account.pbs.org/oauth2/social/login/google-oauth2/?scope=account+vppa&redirect_uri=https://www.pbs.org/login/&response_type=code&client_id=LXLFIaXOVDsfS850bnvsxdcLKlvLStjRBoBWbFRE
	https://www.facebook.com/sharer/sharer.php?u=https://www.pbs.org/video/trailer-g7chzs&t=The%20Miniaturist,%20Trailer
	https://www.twitter.com/intent/tweet?url=https://www.pbs.org/video/our-man-in-tehran-part-one-p9eu3w&text=Check%20out%20this%20video%20from%20@PBS:%20FRONTLINE,%20Our%20Man%20in%20Tehran%20%28Part%20One%29
	https://shop.pbs.org/?utm_source=PBS&utm_medium=Link&utm_campaign=pbs_home_footer_shoplink
	http://www.pbs.org/value/home/?utm_source=carousel_bundle_3&utm_medium=related_link_1&utm_campaign=pbs_homepage
	https://account.pbs.org/oauth2/register/?next=%2Foauth2%2Fauthorize%2F%3Fscope%3Daccount%2Bvppa%26redirect_uri%3Dhttps%3A%2F%2Fwww.pbs.org%2Flogin%2F%26response_type%3Dcode%26client_id%3DLXLFIaXOVDsfS850bnvsxdcLKlvLStjRBoBWbFRE%26confirmed%3D1
	http://www.pbs.org/value/home/?utm_source=carousel_bundle_3&utm_medium=image&utm_campaign=pbs_homepage
	https://www.facebook.com/sharer/sharer.php?u=https://www.pbs.org/video/the-final-7d9s6z&t=The%20Great%20British%20Baking%20Show,%20The%20Final
	https://www.twitter.com/intent/tweet?url=https://www.pbs.org/video/the-final-7d9s6z&text=Check%20out%20this%20video%20from%20@PBS:%20The%20Great%20British%20Baking%20Show,%20The%20Final
[93m[!][0;0m 1 email addresses discovered
	?subject=Check out this video from PBS: Trailer&body=I thought you might like this: https://www.pbs.org/video/trailer-g7chzs
[93m[!][0;0m 2 HTML forms discovered
	Form details: ID: None, Class: ['dropdown', 'nav-item--search__form', 'an-18_2'], Method: None, action: /search/
	Form details: ID: None, Class: ['dropdown', 'nav-item--search__form', 'an-18_2'], Method: None, action: /search/

You can learn more information about the web application firewall in the "WAF.txt" report, but our scan did not detect one.

Basic information about the registered domain owner can also be found under the "whois.txt" report, although many times this registration information is just for the company who registered the domain on behalf of the customer.

Recon Is an Essential Part of Any Plan

By using Raccoon scanner, a hacker can streamline an attack according to the surface area discovered in an initial scan. Because Raccoon scanner includes the ability to scan through a Tor relay, it's an exciting and subtle tool for compiling a lot of targeting data about a domain in an extremely short period of time.

For a red team or for a blue team looking to understand their publically exposed attack surface, Raccoon hits the sweet spot between Maltego and Nmap for OSINT recon on domain targets.

I hope you enjoyed this guide to using Raccoon scanner to gather OSINT data on a target domain! If you have any questions about this tutorial on Raccoon scanner or you have a comment, feel free to reach me in the comments below or on Twitter @KodyKinzie.

Cover photo and screenshots by Kody/Null Byte

1 Comment

Yo, nice post... I will look into this further. Anyways, there are defensive tactics out there that could possibly block this approach but since we all know that most companies are too lazy to update their software there are loop holes everywhere. It seems possibly that the best way to use this is to find which domains that are on the network, but I could also be wrong and assuming you didn't go over all the features. Correct?

That's that. I will review the code and maybe add this to my arsenal (I have a 'fresh' installation of Debian currently).

~Cheers!

Share Your Thoughts

  • Hot
  • Latest