Information Gathering

# Source: Cybrary “Advanced Penetration Test”

*Find as much information as possible about the target.
*What domains do they own? What job ads are they posting? What is their email structure? What technologies are they using on publicly facing systems?

(1) Google Dorks
Database of helpful Google Dorks: http://www.exploit-db.com/google-dorks/
Example: xamppdirpasswd.txt filetype:txt finds xampp passwords

(2) Shodan (Python API)
Search engine that uses banner grabbing

(3) Whois
Domain registration records
root@kali:~# whois ________.com

(4) DNS Recon
​root@kali:~# host http://www.________.com
root@kali:~# host -t ns ________.com
root@kali:~# host -t mx ________.com

*DNS Zone Transfer 
root@kali:~# host -t ns zoneedit.com
root@kali:~# host -l zoneedit.com ns2.zoneedit.com

DNS Bruteforce
root@kali:~# fierce -dns ________.com

​(5) Netcraft
http://searchdns.netcraft.com/​

(6) ​The HarvesterThe Harvester automatically searches for emails etc. online
root@kali:~# theharvester -d ________.com -l 500 -b all

(7) Maltego
Graphical information gathering and correlation tool
root@kali:~# maltego

(8) Recon-ng
Reconnaissance framework
recon-ng > use recon/hosts/enum/http/web/xssed [recon-ng][default][xssed] > show options
recon-ng [xssed] > set DOMAIN ________.com
DOMAIN => ________.com
recon-ng [xssed] > run

(9) Port Scanning
Nmap
root@kali:~# nmap -sS 192.168.20.9-11 -oA synscan
root@kali:~# nmap -sU 192.168.20.9-11 -oA udpscan

Metasploit Port Scanners​
search portscan (shows portscan modules)
scanner/portscan/tcp (runs a TCP connect scan)
Use auxiliary modules like exploits (use, set, exploit, etc..)

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s