Reconnaissance
gathering information to plan future adversary operation.
00. Basic
https://docs.reconness.com/
https://coggle.it/diagram/XepDvoXedGCjPc1Y/t/enumeration-mindmap
https://www.xmind.net/m/5dypm8/#
01. Passive Recon
Manual
## ------------------| Get information about ip(4/6) address and mail server address.
whois h4rithd.com
host h4rithd.com
nslookup h4rithd.com
traceroute h4rithd.com
## ------------------| Enumarate DNS / NS Information
dnsrecon -d h4rithd.com
dig h4rithd.com
dig h4rithd.com MX ## List Mail server records
dig h4rithd.com NS ## List NameServer records
dig h4rithd.com ANY ## List all records
dig @8.8.8.8 h4rithd.com ANY ## Using google dns server
## ------------------| DNS Zone Transfer
dnsrecon -d h4rithd.com -t axfr
## ------------------| Check waf
wafw00f h4rithd.com
## ------------------| Interesting Sites
https://dnsdumpster.com/
https://sitereport.netcraft.com/?url=h4rithd.com
## ------------------| Identify web technology
whatweb h4rithd.com
## ------------------| OSINT on domain
theHarvester -b crtsh,dnsdumpster,duckduckgo,google,hackertarget,linkedin,linkedin_links,twitter,trello -d dialog.com
## ------------------| Subdomain enumeration
knockpy dialog.lk
sublist3r -d h4rithd.com
fierce --domain h4rithd.com
## ------------------| Subdomain enumeration from Certificate Transparency
curl -s https://crt.sh/\?q\=h4rithd.com\&output\=json | jq . | grep name | cut -d":" -f2 | grep -v "CN=" | cut -d'"' -f2 | awk '{gsub(/\\n/,"\n");}1;' | sort -u
Automation
## ------------------| Sn1per
sudo sniper -t h4rithd.com
sudo sniper -t h4rithd.com -m stealth -o -re
## ------------------| Amass
amass enum -d h4rithd.com -dir output
amass enum -d h4rithd.com -src -ip -brute -dir output ### Active scan
amass db -dir output -list ### List all workspace
amass viz -dir output -d3 ### Create html report
## ------------------| Recon-ng
recon-ng
marketplace search ### Search module
marketplace install <Module> ### Install module
modules search ### List installed modules
modules load <Module> ### Load installed modules
options list ### List module options
options set SOURCE <domain> ### Config modules
Last updated