Information Gathering

Whois

Whois [🔗] is a protocol used for querying databases that store an Internet resource's registered users or assignees. You can provide:

• Domain -> info about it such as name server, registrar, etc.

• IP -> info about who is hostring the IP address

whois example.com

# whois by specifying a whois server
whois example.com -h 192.168.5.5

# Perform a reverse lookup
whois 38.100.193.70
whois 38.100.193.70 -h 192.168.5.5

Netcraft

Netcraft is an ISP, that offers a free web portal [🔗] for information gathering (technologies, subdomains, etc.).

Open-Source Code

Gather information through GitHub, GitLab, etc.

• Manual

• Automatic

  • https://github.com/gitleaks/gitleaks

Google Dorks

Example

# Restrict the search to example.com and subdomains
site:example.com

# Restrict the search to example.com and subdomains and exclude HTML pages
site:example.com -filetype:html

# Search for pages with 'index of' in the title and 'parent directory' in the content
intitle:“index of” “parent directory”

• https://www.exploit-db.com/google-hacking-database

• https://dorksearch.com/

Shodan

Shodan [🔗] is a search engine for internet-connected devices, including servers, routers, and IoT devices.

DNS Enumeration

Manual

host example.com                  # List of ipv4 & ipv6 address
host -t mx example.com            # List of email servers
host -t txt example.com           # List of TXT records

dig +short a zonetransfer.me      # List of ipv4 address
dig +short mx zonetransfer.me     # List of email servers
dig +short -x 192.246.126.3       # Reverse lookups
dig +short ns zonetransfer.me     # List of DNS servers for the domain
dig axfr zonetransfer.me @nsztm1.digi.ninja. # Get a copy of the zone from the primary server. (zone transfer attack)

nslookup example.com              # Works on Windows

Note: AXFR offers no authentication, so any client can ask a DNS server for a copy of the entire zone.

Automatic

There are several tools...

• dnsrecon [🔗]

dnsrecon -d example.com -t std                # Standard enumeration
dnsrecon -d example.com -t brt -D list.txt    # Brute force subdomain enum

• sublist3r [🔗] enumerates subdomains using search engines such as Google and using DNSdumpster etc. It support also bruteforce.

sublist3r -d example.com

All in one

• amass [🔗]: network mapping and external asset discovery using open source information gathering and active reconnaissance techniques

• theHarvester [🔗]: gathers names, emails, IPs, subdomains, and URLs by using multiple public resources

theHarvester -d example.com -b google,linkedin,dnsdumpster,duckduckgo

Port Scanning

Netcat [🔗]

# Scan TCP
nc -nvv -w 1 -z 192.168.5.5 100-102

# Scan UDP [Highly unreliable, as firewalls/routers may drop ICMP packets ->
# leading to false positives]
nc -nv -u -z -w 1 192.168.5.5 120-123

Nmap [🔗]

# [TCP] Stealth scan (default if you're root)
# It will not appear in any app logs, but modern firewall log them
sudo nmap -sS 192.168.5.5

# TCP Connect Scanning (default if you're not root)
nmap -sT 192.168.5.5

# UDP Scan
nmap -sU 192.168.5.5

# Scan all TCP ports
nmap -p- 192.168.5.5

# Scan a single port
nmap -p 5 192.168.5.5

Note: 1000-port scan generate around 72KB of traffic. Scanning all ports generate about 4 MB. 254 hosts * 4 MB = 1000 MB of traffic.

Host Discovery (nmap)

-sn option

The default host discovery done with -sn consists of an ICMP echo request. But when a privileged user tries to scan targets on a local ethernet network, ARP requests are used.

nmap -sn 192.168.1.0/24

---

-PS option

nmap -sn -PS 192.168.1.5

This option sends an empty TCP packet with the SYN flag set. The default destination port is 80.

Note: you should also use other ports to better detect hosts.

nmap -sn -PS22-25 192.168.1.5

---

Other options

• -PA (ACK flag is set instead of the SYN flag). Default port: 80

• -PU (sends a UDP packet). Default port: 40125

• -PY (sends an SCTP packet). Default port: 80

Port Scanning (nmap)

Use nmap documentation to understand the differences between port scans

nmap -p- 192.168.1.5          # Scan all TCP ports
nmap -sU --top-ports 25 <ip>  # Suggestion for udp scan

Script engine: For more info read nmap documentation

• --script <filename>|<category>|<directory>|<expression>

• -sC Runs a script scan using the default script set. It is the equivalent of --script=default

nmap --script "default or safe" # Load all scripts that are in the default, safe, or both categories.

Note: there are many categories. Some of the scripts in this category are considered intrusive and may not run on a network target without permissions.

Website Recon

• Web App Technology Fingerprinting

  • wappalyzer (extension)

  • builtwith (extension)

  • whatweb example.com

• Look for hidden directory/files:

  • http://example.com/robots.txt

  • http://example.com/sitemap.xml

• WAF Detection

  • wafw00f http://example.com -a

• Download website source

  • httrack

• waybackmachine

  • https://web.archive.org