Information Gathering - Some One-liners

Web Pentesting Recon

To do list:

• Get IP address of our target

• Domain Name Server Information and DNS Records

• Make recon about the technologies used on the website

• Look for Subdomains, Unlisted files, directories etc.

• Port Scanning

Get IP address

• dig <domain>

Whois Lookup

• https://whois.domaintools.com/ - Simple Whois

• https://whois.arin.net/ui/ - WhoisRWS

Netcraft && Builtwith

• https://builtwith.com/

• https://sitereport.netcraft.com/

Robtex DNS Lookup

• https://www.robtex.com/ - Robtex

• https://dnsdumpster.com/ - DNS Dumpster

Subdomains

Tools to use:

Sublist3r

sublit3r.py -d pepsi.com

assetfinder

subfinder

amass

Discovering Sensitive files

Tools for directory brute force:

dirsearch

dirsearch --url http://domain.com # Basic enum

FuFF

Feroxbuster

Gobuster

Alive Domains

cat subdomains.txt | httpx -sc -title

Port Scanning

Nmap

nmap -A -F -T1 - vvv <IP>

nmap -iL subdoms.txt -T5

#Remeber to identify false positives

Hakrawler

• https://github.com/hakluke/hakrawler

LinkFinder

• https://github.com/GerbenJavado/LinkFinder

ScreenShots

cat alive-subdomains.txt | aquatone
eyewitness -f /root/alive-https.txt -d <domain> --all-protocols

Third Party Hosting

• https://grayhatwarfare.com/

• aws s3 cp s3://Bucket_name/file

Search Engines

• https://www.shodan.io/ - Look for Organizations name, hostnames and others.

• https://netlas.io/ - Same as nmap, look for vulnerable servers and so on.

Phishing Domains and Typosquatting

• dnstwist - recollect info about registered domains and unregistered domains.

dnstwist -r pepsi.com
dnstwist pepsi.com

Discovering Email Addresses

Discovering Email Address

Others

• Github

• OSINT

• PasteBin

All in One

• Enumall

enumall.py pepsi.com -a -p ../alt/dns/words.txt -w <custom_wordlist>