*Find as much information as possible about the target.
*What domains do they own? What job ads are they posting? What is their email structure? What technologies are they using on publicly facing systems?
(1) Google Dorks
Database of helpful Google Dorks: http://www.exploit-db.com/google-dorks/
Example: xamppdirpasswd.txt filetype:txt finds xampp passwords
(2) Shodan (Python API)
Search engine that uses banner grabbing
(3) Whois
Domain registration records
root@kali:~# whois ________.com
(4) DNS Recon
root@kali:~# host http://www.________.com
root@kali:~# host -t ns ________.com
root@kali:~# host -t mx ________.com
*DNS Zone Transfer
root@kali:~# host -t ns zoneedit.com
root@kali:~# host -l zoneedit.com ns2.zoneedit.com
DNS Bruteforce
root@kali:~# fierce -dns ________.com
(5) Netcraft
http://searchdns.netcraft.com/
(6) The HarvesterThe Harvester automatically searches for emails etc. online
root@kali:~# theharvester -d ________.com -l 500 -b all
Graphical information gathering and correlation tool
root@kali:~# maltego
(8) Recon-ng
Reconnaissance framework
recon-ng > use recon/hosts/enum/http/web/xssed [recon-ng][default][xssed] > show options
recon-ng [xssed] > set DOMAIN ________.com
DOMAIN => ________.com
recon-ng [xssed] > run
(9) Port Scanning
Nmap
root@kali:~# nmap -sS 192.168.20.9-11 -oA synscan
root@kali:~# nmap -sU 192.168.20.9-11 -oA udpscan
Metasploit Port Scanners
search portscan (shows portscan modules)
scanner/portscan/tcp (runs a TCP connect scan)
Use auxiliary modules like exploits (use, set, exploit, etc..)
Reverse Engineering, Malware Deep Insight 