Reconnaissance

gathering information to plan future adversary operation.

00. Basic

https://docs.reconness.com/
https://coggle.it/diagram/XepDvoXedGCjPc1Y/t/enumeration-mindmap
https://www.xmind.net/m/5dypm8/#

01. Passive Recon

  • Manual

## ------------------| Get information about ip(4/6) address and mail server address.
whois h4rithd.com
host h4rithd.com
nslookup h4rithd.com
traceroute h4rithd.com

## ------------------| Enumarate DNS / NS Information
dnsrecon -d h4rithd.com
dig h4rithd.com
dig h4rithd.com MX             ## List Mail server records  
dig h4rithd.com NS             ## List NameServer records
dig h4rithd.com ANY            ## List all records
dig @8.8.8.8 h4rithd.com ANY   ## Using google dns server

## ------------------| DNS Zone Transfer
dnsrecon -d h4rithd.com -t axfr

## ------------------| Check waf
wafw00f h4rithd.com

## ------------------| Interesting Sites
https://dnsdumpster.com/
https://sitereport.netcraft.com/?url=h4rithd.com

## ------------------| Identify web technology
whatweb h4rithd.com

## ------------------| OSINT on domain
theHarvester -b crtsh,dnsdumpster,duckduckgo,google,hackertarget,linkedin,linkedin_links,twitter,trello -d dialog.com           

## ------------------| Subdomain enumeration
knockpy dialog.lk
sublist3r -d h4rithd.com
fierce --domain h4rithd.com 

## ------------------| Subdomain enumeration from Certificate Transparency
curl -s https://crt.sh/\?q\=h4rithd.com\&output\=json | jq . | grep name | cut -d":" -f2 | grep -v "CN=" | cut -d'"' -f2 | awk '{gsub(/\\n/,"\n");}1;' | sort -u

  • Automation

## ------------------| Sn1per
sudo sniper -t h4rithd.com
sudo sniper -t h4rithd.com -m stealth -o -re 

## ------------------| Amass
amass enum -d h4rithd.com -dir output
amass enum -d h4rithd.com -src -ip -brute -dir output ### Active scan
amass db -dir output -list     ### List all workspace
amass viz -dir output -d3      ### Create html report

## ------------------| Recon-ng
recon-ng
marketplace search            ### Search module
marketplace install <Module>  ### Install module
modules search                ### List installed modules
modules load <Module>         ### Load installed modules
options list                  ### List module options
options set SOURCE <domain>   ### Config modules