Information Gathering

# Source: Cybrary “Advanced Penetration Test”

*Find as much information as possible about the target.
*What domains do they own? What job ads are they posting? What is their email structure? What technologies are they using on publicly facing systems?

(1) Google Dorks
Database of helpful Google Dorks:
Example: xamppdirpasswd.txt filetype:txt finds xampp passwords

(2) Shodan (Python API)
Search engine that uses banner grabbing

(3) Whois
Domain registration records
root@kali:~# whois

(4) DNS Recon
​root@kali:~# host
root@kali:~# host -t ns
root@kali:~# host -t mx

*DNS Zone Transfer 
root@kali:~# host -t ns
root@kali:~# host -l

DNS Bruteforce
root@kali:~# fierce -dns

​(5) Netcraft​

(6) ​The HarvesterThe Harvester automatically searches for emails etc. online
root@kali:~# theharvester -d -l 500 -b all

(7) Maltego
Graphical information gathering and correlation tool
root@kali:~# maltego

(8) Recon-ng
Reconnaissance framework
recon-ng > use recon/hosts/enum/http/web/xssed [recon-ng][default][xssed] > show options
recon-ng [xssed] > set DOMAIN
recon-ng [xssed] > run

(9) Port Scanning
root@kali:~# nmap -sS -oA synscan
root@kali:~# nmap -sU -oA udpscan

Metasploit Port Scanners​
search portscan (shows portscan modules)
scanner/portscan/tcp (runs a TCP connect scan)
Use auxiliary modules like exploits (use, set, exploit, etc..)

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

%d bloggers like this: