Hackzzz - The Notebook

Information Gathering - Some One-liners

PreviousWeb Basics NextFile Upload

Last updated 9 months ago

Web Pentesting Recon

To do list:

Get IP address of our target
Domain Name Server Information and DNS Records
Make recon about the technologies used on the website
Look for Subdomains, Unlisted files, directories etc.
Port Scanning

Get IP address

dig <domain>

Whois Lookup

https://whois.domaintools.com/ - Simple Whois
https://whois.arin.net/ui/ - WhoisRWS

Netcraft && Builtwith

Robtex DNS Lookup

https://www.robtex.com/ - Robtex
https://dnsdumpster.com/ - DNS Dumpster

Subdomains

Tools to use:

sublit3r.py -d pepsi.com

Discovering Sensitive files

Tools for directory brute force:

dirsearch --url http://domain.com # Basic enum

Alive Domains

cat subdomains.txt | httpx -sc -title

Port Scanning

nmap -A -F -T1 - vvv <IP>

nmap -iL subdoms.txt -T5

#Remeber to identify false positives

Hakrawler

https://github.com/hakluke/hakrawler

LinkFinder

https://github.com/GerbenJavado/LinkFinder

ScreenShots

cat alive-subdomains.txt | aquatone
eyewitness -f /root/alive-https.txt -d <domain> --all-protocols

Third Party Hosting

https://grayhatwarfare.com/
aws s3 cp s3://Bucket_name/file

Search Engines

https://www.shodan.io/ - Look for Organizations name, hostnames and others.
https://netlas.io/ - Same as nmap, look for vulnerable servers and so on.

Phishing Domains and Typosquatting

dnstwist - recollect info about registered domains and unregistered domains.

dnstwist -r pepsi.com
dnstwist pepsi.com

Discovering Email Addresses

Others

Github
OSINT
PasteBin

All in One

Enumall

enumall.py pepsi.com -a -p ../alt/dns/words.txt -w <custom_wordlist>