# Reconnaissance ## 00. Basic ```bash https://docs.reconness.com/ https://coggle.it/diagram/XepDvoXedGCjPc1Y/t/enumeration-mindmap https://www.xmind.net/m/5dypm8/# ``` ## 01. Passive Recon * Manual ```bash ## ------------------| Get information about ip(4/6) address and mail server address. whois h4rithd.com host h4rithd.com nslookup h4rithd.com traceroute h4rithd.com ## ------------------| Enumarate DNS / NS Information dnsrecon -d h4rithd.com dig h4rithd.com dig h4rithd.com MX ## List Mail server records dig h4rithd.com NS ## List NameServer records dig h4rithd.com ANY ## List all records dig @8.8.8.8 h4rithd.com ANY ## Using google dns server ## ------------------| DNS Zone Transfer dnsrecon -d h4rithd.com -t axfr ## ------------------| Check waf wafw00f h4rithd.com ## ------------------| Interesting Sites https://dnsdumpster.com/ https://sitereport.netcraft.com/?url=h4rithd.com ## ------------------| Identify web technology whatweb h4rithd.com ## ------------------| OSINT on domain theHarvester -b crtsh,dnsdumpster,duckduckgo,google,hackertarget,linkedin,linkedin_links,twitter,trello -d dialog.com ## ------------------| Subdomain enumeration knockpy dialog.lk sublist3r -d h4rithd.com fierce --domain h4rithd.com ## ------------------| Subdomain enumeration from Certificate Transparency curl -s https://crt.sh/\?q\=h4rithd.com\&output\=json | jq . | grep name | cut -d":" -f2 | grep -v "CN=" | cut -d'"' -f2 | awk '{gsub(/\\n/,"\n");}1;' | sort -u curl -s "https://crt.sh/?q=h4rithd.com&output=json" | python3 -c " import sys,json certs=json.load(sys.stdin) domains=set() for c in certs: for d in c.get('name_value','').split('\n'): domains.add(d.strip()) for d in sorted(domains): print(d) " ## ------------------| HTTP Probing Live Asset Identification for sub in www uat api shop portal lms omnichannel; do code=$(curl -sk --max-time 5 -o /dev/null -w "%{http_code}" "https://$sub.h4rithd.com") echo "$sub.h4rithd.com => HTTP $code" done ## ------------------| SSL Certificate Analysis curl -sk --max-time 10 "https://h4rithd.com" -v 2>&1 | grep -A5 "Server certificate" #### Also via Nikto SSL scan nikto -h h4rithd.com -ssl -nointeractive 2>/dev/null | grep -i "DNS\|SAN\|Subject" ## ------------------| JavaScript Bundle Analysis #### Extract all JS bundle URLs curl -sk "https://h4rithd.com" | grep -oE 'src="[^"]+\.js"' | sed 's/src="//;s/"//' #### Fetch main bundle curl -sk "https://h4rithd.com/static/js/main.js" | grep -oE 'https?://[a-zA-Z0-9._-]+\.azurewebsites\.net[^"'\'']*' ``` * Automation ```bash ## ------------------| Sn1per sudo sniper -t h4rithd.com sudo sniper -t h4rithd.com -m stealth -o -re ## ------------------| Amass amass enum -d h4rithd.com -dir output amass enum -d h4rithd.com -src -ip -brute -dir output ### Active scan amass db -dir output -list ### List all workspace amass viz -dir output -d3 ### Create html report ## ------------------| Recon-ng recon-ng marketplace search ### Search module marketplace install ### Install module modules search ### List installed modules modules load ### Load installed modules options list ### List module options options set SOURCE ### Config modules ``` --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://docs.h4rithd.com/redteam/reconnaissance.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.