Information Gathering - Some One-liners
Web Pentesting Recon
To do list:
Get IP address of our target
Domain Name Server Information and DNS Records
Make recon about the technologies used on the website
Look for Subdomains, Unlisted files, directories etc.
Port Scanning
Get IP address
dig <domain>
Whois Lookup
https://whois.domaintools.com/ - Simple Whois
https://whois.arin.net/ui/ - WhoisRWS
Netcraft && Builtwith
Robtex DNS Lookup
https://www.robtex.com/ - Robtex
https://dnsdumpster.com/ - DNS Dumpster
Subdomains
Tools to use:
sublit3r.py -d pepsi.com
assetfinder <domain> > domain-subdomains.txt
subfinder -d geekforgeeks.org -silent -t 50
amass enum -passive -d owasp.org
Discovering Sensitive files
Tools for directory brute force:
dirsearch --url http://domain.com # Basic enum
ffuf -w /wordlists/seclists/subdomains.txt -u http://domain.com/FUZZ # Look for directories
ffuf -w /wordlists/seclists/subdomains.txt -H "Host: FUZZ.domain.com" -u http://domain.com # look for any subdomains by making a brute force attack
feroxbuster --url <url>
gobuster dir -u http://domain.com -w wordlist.txt # look for directories
Alive Domains
cat subdomains.txt | httpx -sc -titlePort Scanning
nmap -A -F -T1 - vvv <IP>
nmap -iL subdoms.txt -T5
#Remeber to identify false positives
Hakrawler
LinkFinder
ScreenShots
cat alive-subdomains.txt | aquatone
eyewitness -f /root/alive-https.txt -d <domain> --all-protocolsThird Party Hosting
aws s3 cp s3://Bucket_name/file
Search Engines
https://www.shodan.io/ - Look for Organizations name, hostnames and others.
https://netlas.io/ - Same as nmap, look for vulnerable servers and so on.
Phishing Domains and Typosquatting
dnstwist - recollect info about registered domains and unregistered domains.
dnstwist -r pepsi.com
dnstwist pepsi.comDiscovering Email Addresses
Discovering Email AddressOthers
Github
OSINT
PasteBin
All in One
Enumall
enumall.py pepsi.com -a -p ../alt/dns/words.txt -w <custom_wordlist>Last updated