Information gathering

Whois

Whois is a protocol used for querying databases that store an Internet resource’s registered users or assignees. You can provide:

Domain -> info about it such as name server, registrar, etc.
IP -> info about who is hostring the IP address

whois example.com

# whois by specifying a whois server
whois example.com -h 192.168.5.5

# Perform a reverse lookup
whois 38.100.193.70
whois 38.100.193.70 -h 192.168.5.5

Netcraft

Netcraft is an ISP, that offers a free web portal for information gathering (technologies, subdomains, etc.).

Open-Source Code

Gather information through GitHub, GitLab, etc.

Manual
Automatic: Gitleaks

Google Dorks

Example

# Restrict the search to example.com and subdomains
site:example.com

# Restrict the search to example.com and subdomains and exclude HTML pages
site:example.com -filetype:html

# Search for pages with 'index of' in the title and 'parent directory' in the content
intitle:“index of” “parent directory”

Shodan

Shodan is a search engine for internet-connected devices, including servers, routers, and IoT devices.

DNS Enumeration

Manual

host example.com                  # List of ipv4 & ipv6 address
host -t mx example.com            # List of email servers
host -t txt example.com           # List of TXT records

dig +short a zonetransfer.me      # List of ipv4 address
dig +short mx zonetransfer.me     # List of email servers
dig +short -x 192.246.126.3       # Reverse lookups
dig +short ns zonetransfer.me     # List of DNS servers for the domain
dig axfr zonetransfer.me @nsztm1.digi.ninja. # Get a copy of the zone from the primary server. (zone transfer attack)

nslookup example.com              # Works on Windows

Note

AXFR offers no authentication, so any client can ask a DNS server for a copy of the entire zone.

Automatic

There are several tools…

dnsrecon

dnsrecon -d example.com -t std                # Standard enumeration
dnsrecon -d example.com -t brt -D list.txt    # Brute force subdomain enum

sublist3r enumerates subdomains using search engines such as Google and using DNSdumpster etc. It support also bruteforce.

sublist3r -d example.com

All in one

amass: network mapping and external asset discovery using open source information gathering and active reconnaissance techniques
theHarvester: gathers names, emails, IPs, subdomains, and URLs by using multiple public resources

theHarvester -d example.com -b google,linkedin,dnsdumpster,duckduckgo

Port Scanning

Netcat

Use Netcat when Nmap isn’t available.

# Scan TCP
nc -nvv -w 1 -z 192.168.5.5 100-102

# Scan port 445 on 192.168.1.1–254
for i in $(seq 1 254); do nc -nvv -w 1 -z 192.168.1.$i 445; done

# Scan UDP [Highly unreliable, as firewalls/routers may drop ICMP packets ->
# leading to false positives]
nc -nv -u -z -w 1 192.168.5.5 120-123

Nmap

# [TCP] Stealth scan (default if you're root)
# It will not appear in any app logs, but modern firewall log them
sudo nmap -sS 192.168.5.5

# TCP Connect Scanning (default if you're not root)
nmap -sT 192.168.5.5

# UDP Scan
nmap -sU 192.168.5.5

# Scan all TCP ports
nmap -p- 192.168.5.5

# Scan a single port
nmap -p 5 192.168.5.5

Note

1000-port scan generate around 72KB of traffic. Scanning all ports generate about 4 MB. 254 hosts * 4 MB = 1000 MB of traffic.

Host Discovery (nmap)

-sn option

The default host discovery done with -sn consists of an ICMP echo request. But when a privileged user tries to scan targets on a local ethernet network, ARP requests are used.

nmap -sn 192.168.1.0/24

-PS option

nmap -sn -PS 192.168.1.5

This option sends an empty TCP packet with the SYN flag set. The default destination port is 80.

Note

You should also use other ports to better detect hosts.

nmap -sn -PS22-25 192.168.1.5

Other options

-PA (ACK flag is set instead of the SYN flag). Default port: 80
-PU (sends a UDP packet). Default port: 40125
-PY (sends an SCTP packet). Default port: 80

Port Scanning (nmap)

Use nmap documentation to understand the differences between port scans

nmap -p- 192.168.1.5          # Scan all TCP ports
nmap -sU --top-ports 25 <ip>  # Suggestion for udp scan

Script engine: For more info read nmap documentation

--script <filename>|<category>|<directory>|<expression>
-sC Runs a script scan using the default script set. It is the equivalent of --script=default

nmap --script "default or safe" # Load all scripts that are in the default, safe, or both categories.

Note

There are many categories. Some of the scripts in this category are considered intrusive and may not run on a network target without permissions.

Website Recon

Web App Technology Fingerprinting
- wappalyzer (extension)
- builtwith (extension)
- whatweb example.com
Look for hidden directory/files:
- http://example.com/robots.txt
- http://example.com/sitemap.xml
WAF Detection
- wafw00f http://example.com -a
Download website source
- httrack
waybackmachine
- https://web.archive.org