📰Information Gathering

WHOIS

Command

Description

export TARGET="domain.tld"

Assign target to an environment variable.

whois $TARGET

WHOIS lookup for the target.

DNS Enumeration

Command

Description

nslookup $TARGET

Identify the A record for the target domain.

nslookup -query=A $TARGET

Identify the A record for the target domain.

dig $TARGET @<nameserver/IP>

Identify the A record for the target domain.

dig a $TARGET @<nameserver/IP>

Identify the A record for the target domain.

nslookup -query=PTR <IP>

Identify the PTR record for the target IP address.

dig -x <IP> @<nameserver/IP>

Identify the PTR record for the target IP address.

nslookup -query=ANY $TARGET

Identify ANY records for the target domain.

dig any $TARGET @<nameserver/IP>

Identify ANY records for the target domain.

nslookup -query=TXT $TARGET

Identify the TXT records for the target domain.

dig txt $TARGET @<nameserver/IP>

Identify the TXT records for the target domain.

nslookup -query=MX $TARGET

Identify the MX records for the target domain.

dig mx $TARGET @<nameserver/IP>

Identify the MX records for the target domain.

Passive Subdomain Enumeration

Resource/Command

Description

VirusTotal

https://www.virustotal.com/gui/home/url

Censys

https://censys.io/

Crt.sh

https://crt.sh/

curl -s https://sonar.omnisint.io/subdomains/{domain} | jq -r '.[]' | sort -u

All subdomains for a given domain.

curl -s https://sonar.omnisint.io/tlds/{domain} | jq -r '.[]' | sort -u

All TLDs found for a given domain.

curl -s https://sonar.omnisint.io/all/{domain} | jq -r '.[]' | sort -u

All results across all TLDs for a given domain.

curl -s https://sonar.omnisint.io/reverse/{ip} | jq -r '.[]' | sort -u

Reverse DNS lookup on IP address.

curl -s https://sonar.omnisint.io/reverse/{ip}/{mask} | jq -r '.[]' | sort -u

Reverse DNS lookup of a CIDR range.

curl -s "https://crt.sh/?q=${TARGET}&output=json" | jq -r '.[] | "\(.name_value)\n\(.common_name)"' | sort -u

Certificate Transparency.

cat sources.txt | while read source; do theHarvester -d "${TARGET}" -b $source -f "${source}-${TARGET}";done

Searching for subdomains and other information on the sources provided in the source.txt list.

Sources.txt

baidu
bufferoverun
crtsh
hackertarget
otx
projecdiscovery
rapiddns
sublist3r
threatcrowd
trello
urlscan
vhost
virustotal
zoomeye

Passive Infrastructure Identification

Resource/Command

Description

Netcraft

https://www.netcraft.com/

WayBackMachine

http://web.archive.org/

WayBackURLs

https://github.com/tomnomnom/waybackurls

waybackurls -dates https://$TARGET > waybackurls.txt

Crawling URLs from a domain with the date it was obtained.

Active Infrastructure Identification

Resource/Command

Description

curl -I "http://${TARGET}"

Display HTTP headers of the target webserver.

whatweb -a https://www.facebook.com -v

Technology identification.

Wappalyzer

https://www.wappalyzer.com/

wafw00f -v https://$TARGET

WAF Fingerprinting.

Aquatone

https://github.com/michenriksen/aquatone

cat subdomain.list | aquatone -out ./aquatone -screenshot-timeout 1000

Makes screenshots of all subdomains in the subdomain.list.

Active Subdomain Enumeration

Resource/Command

Description

HackerTarget

https://hackertarget.com/zone-transfer/

SecLists

https://github.com/danielmiessler/SecLists

nslookup -type=any -query=AXFR $TARGET nameserver.target.domain

Zone Transfer using Nslookup against the target domain and its nameserver.

gobuster dns -q -r "${NS}" -d "${TARGET}" -w "${WORDLIST}" -p ./patterns.txt -o "gobuster_${TARGET}.txt"

Bruteforcing subdomains.

Virtual Hosts

Resource/Command

Description

curl -s http://192.168.10.10 -H "Host: randomtarget.com"

Changing the HOST HTTP header to request a specific domain.

cat ./vhosts.list | while read vhost;do echo "\n********\nFUZZING: ${vhost}\n********";curl -s -I http://<IP address> -H "HOST: ${vhost}.target.domain" | grep "Content-Length: ";done

Bruteforcing for possible virtual hosts on the target domain.

ffuf -w ./vhosts -u http://<IP address> -H "HOST: FUZZ.target.domain" -fs 612

Bruteforcing for possible virtual hosts on the target domain using ffuf.

Crawling

Resource/Command

Description

ZAP

https://www.zaproxy.org/

ffuf -recursion -recursion-depth 1 -u http://192.168.10.10/FUZZ -w /opt/useful/SecLists/Discovery/Web-Content/raft-small-directories-lowercase.txt

Discovering files and folders that cannot be spotted by browsing the website.

ffuf -w ./folders.txt:FOLDERS,./wordlist.txt:WORDLIST,./extensions.txt:EXTENSIONS -u http://www.target.domain/FOLDERS/WORDLISTEXTENSIONS

Mutated bruteforcing against the target web server.

PreviousAD attackenumNextList of common ports

Last updated