Information Gathering

Whois

It is a protocol used for querying databases that store an Internet resource's registered users or assignees

whois example.com

DNS Enumeration

Manual

dig +short a zonetransfer.me      # List of ipv4 address
dig +short mx zonetransfer.me     # List of email servers
dig +short -x 192.246.126.3       # Reverse lookups
dig +short ns zonetransfer.me     # List of DNS servers for the domain
dig axfr zonetransfer.me @nsztm1.digi.ninja. # Get a copy of the zone from the primary server. (zone transfer attack)

Note: AXFR offers no authentication, so any client can ask a DNS server for a copy of the entire zone.

Automatic

  • dnsdumpster.com

  • dnsrecon (tool)

Subdomain enumeration

sublist3r: enumerates subdomains using search engines such as Google and using DNSdumpster etc. It support also bruteforce

sublist3r -d example.com

All in one

  • amass: network mapping and external asset discovery using open source information gathering and active reconnaissance techniques

  • sitereport.netcraft.com: gives a lot of information about a domain

  • theHarvester: gathers names, emails, IPs, subdomains, and URLs by using multiple public resources

theHarvester -d example.com -b google,linkedin,dnsdumpster,duckduckgo

Host Discovery (nmap)

-sn option

The default host discovery done with -sn consists of an ICMP echo request. But when a privileged user tries to scan targets on a local ethernet network, ARP requests are used.

nmap -sn 192.168.1.0/24

-PS option

nmap -sn -PS 192.168.1.5

This option sends an empty TCP packet with the SYN flag set. The default destination port is 80.

Note: you should also use other ports to better detect hosts.

nmap -sn -PS22-25 192.168.1.5

Other options

  • -PA (ACK flag is set instead of the SYN flag). Default port: 80

  • -PU (sends a UDP packet). Default port: 40125

  • -PY (sends an SCTP packet). Default port: 80

Port Scanning (nmap)

Use nmap documentation to understand the differences between port scans

nmap -p- 192.168.1.5          # Scan all TCP ports
nmap -sU --top-ports 25 <ip>  # Suggestion for udp scan

Script engine: For more info read nmap documentation

  • --script <filename>|<category>|<directory>|<expression>

  • -sC Runs a script scan using the default script set. It is the equivalent of --script=default

nmap --script "default or safe" # Load all scripts that are in the default, safe, or both categories.

Note: there are many categories. Some of the scripts in this category are considered intrusive and may not run on a network target without permissions.

Website Recon

  • Web App Technology Fingerprinting

    • wappalyzer (extension)

    • builtwith (extension)

    • whatweb example.com

  • Look for hidden directory/files:

    • http://example.com/robots.txt

    • http://example.com/sitemap.xml

  • WAF Detection

    • wafw00f http://example.com -a

  • Download website source

    • httrack

  • Google Dorks

    • site,filetype,inurl,intitle,cache

    • exploit-db.com/google-hacking-database

  • waybackmachine

    • web.archive.org

Last updated