Information Gathering - Some One-liners
Web Pentesting Recon
To do list:
Get IP address of our target
Domain Name Server Information and DNS Records
Make recon about the technologies used on the website
Look for Subdomains, Unlisted files, directories etc.
Port Scanning
Get IP address
dig <domain>
Whois Lookup
https://whois.domaintools.com/ - Simple Whois
https://whois.arin.net/ui/ - WhoisRWS
Netcraft && Builtwith
Robtex DNS Lookup
https://www.robtex.com/ - Robtex
https://dnsdumpster.com/ - DNS Dumpster
Subdomains
Tools to use:
sublit3r.py -d pepsi.com
Discovering Sensitive files
Tools for directory brute force:
dirsearch --url http://domain.com # Basic enum
Alive Domains
Port Scanning
nmap -A -F -T1 - vvv <IP>
nmap -iL subdoms.txt -T5
#Remeber to identify false positives
Hakrawler
LinkFinder
ScreenShots
Third Party Hosting
aws s3 cp s3://Bucket_name/file
Search Engines
https://www.shodan.io/ - Look for Organizations name, hostnames and others.
https://netlas.io/ - Same as nmap, look for vulnerable servers and so on.
Phishing Domains and Typosquatting
dnstwist - recollect info about registered domains and unregistered domains.
Discovering Email Addresses
pageDiscovering Email AddressOthers
Github
OSINT
PasteBin
All in One
Enumall
Last updated