Whois is a protocol used for querying databases that store an Internet resource’s registered users or assignees. You can provide:
whois example.com
# whois by specifying a whois server
whois example.com -h 192.168.5.5
# Perform a reverse lookup
whois 38.100.193.70
whois 38.100.193.70 -h 192.168.5.5Netcraft is an ISP, that offers a free web portal for information gathering (technologies, subdomains, etc.).
Gather information through GitHub, GitLab, etc.
Example
# Restrict the search to example.com and subdomains
site:example.com
# Restrict the search to example.com and subdomains and exclude HTML pages
site:example.com -filetype:html
# Search for pages with 'index of' in the title and 'parent directory' in the content
intitle:“index of” “parent directory”Shodan is a search engine for internet-connected devices, including servers, routers, and IoT devices.
Manual
host example.com # List of ipv4 & ipv6 address
host -t mx example.com # List of email servers
host -t txt example.com # List of TXT records
dig +short a zonetransfer.me # List of ipv4 address
dig +short mx zonetransfer.me # List of email servers
dig +short -x 192.246.126.3 # Reverse lookups
dig +short ns zonetransfer.me # List of DNS servers for the domain
dig axfr zonetransfer.me @nsztm1.digi.ninja. # Get a copy of the zone from the primary server. (zone transfer attack)
nslookup example.com # Works on WindowsNote: AXFR offers no authentication, so any client can ask a DNS server for a copy of the entire zone.
Automatic
There are several tools…
dnsrecon -d example.com -t std # Standard enumeration
dnsrecon -d example.com -t brt -D list.txt # Brute force subdomain enumsublist3r -d example.comtheHarvester -d example.com -b google,linkedin,dnsdumpster,duckduckgoUse Netcat when Nmap isn’t available.
# Scan TCP
nc -nvv -w 1 -z 192.168.5.5 100-102
# Scan port 445 on 192.168.1.1–254
for i in $(seq 1 254); do nc -nvv -w 1 -z 192.168.1.$i 445; done
# Scan UDP [Highly unreliable, as firewalls/routers may drop ICMP packets ->
# leading to false positives]
nc -nv -u -z -w 1 192.168.5.5 120-123# [TCP] Stealth scan (default if you're root)
# It will not appear in any app logs, but modern firewall log them
sudo nmap -sS 192.168.5.5
# TCP Connect Scanning (default if you're not root)
nmap -sT 192.168.5.5
# UDP Scan
nmap -sU 192.168.5.5
# Scan all TCP ports
nmap -p- 192.168.5.5
# Scan a single port
nmap -p 5 192.168.5.5Note: 1000-port scan generate around 72KB of traffic. Scanning all ports generate about 4 MB. 254 hosts * 4 MB = 1000 MB of traffic.
-sn option
The default host discovery done with -sn consists of
an ICMP echo request. But when a privileged user
tries to scan targets on a local ethernet network, ARP
requests are used.
nmap -sn 192.168.1.0/24-PS option
nmap -sn -PS 192.168.1.5This option sends an empty TCP packet with the SYN flag set. The default destination port is 80.
Note: You should also use other ports to better detect hosts.
nmap -sn -PS22-25 192.168.1.5
Other options
-PA (ACK flag is set instead of the SYN flag).
Default port: 80-PU (sends a UDP packet). Default port: 40125-PY (sends an SCTP packet). Default port: 80Use nmap documentation to understand the differences between port scans
nmap -p- 192.168.1.5 # Scan all TCP ports
nmap -sU --top-ports 25 <ip> # Suggestion for udp scanScript engine: For more info read nmap documentation
--script <filename>|<category>|<directory>|<expression>-sC Runs a script scan using the default script
set. It is the equivalent of --script=defaultnmap --script "default or safe" # Load all scripts that are in the default, safe, or both categories.Note: There are many categories. Some of the scripts in this category are considered intrusive and may not run on a network target without permissions.
whatweb example.comhttp://example.com/robots.txthttp://example.com/sitemap.xmlwafw00f http://example.com -a