Print3M
's Hub
HomeBlogNotesSecuriTree
All notes

Reconnaissance notes

1. Info gathering

whois <domain>                              # Domain registrar info

2. Port scanning

nmap -sS -Pn -p 1-1000 <ip>                 # Fast TCP port scan
nmap -sV -sC -p 80,443 <ip>                 # Port service discovery

3. Network host discovering

netdiscover -i <net-interface>              # Passive/active ARP scan
arp-scan -l                                 # Fast ARP scan

4. DNS records gathering

Good results gives msf auxiliary/gather/enum_dns but it is worth checking out other tools as the results may vary.

# Types: ANY, A, TXT, AXFR (zone transfer), MS, NS, CNAME
dig <type> <domain> @<dns-ip>     
dnsrecon -d <domain> -a -n <dns-ip>
nslookup <domain>                   
host <domain>

5. Subdomains / vhost discovering

There are situations where there is no DNS server. Then you have to brute force simply routing to the target ip manually (using the proxy parameter). Probably all sub-domains will then respond with code 200. Our correct one may have a slightly different body or different response code.

5.1. DNS server bruteforcing

gobuster dns -d <domain> -r <dns-server> -w <wordlist>

5.2. Bruteforcing with wfuzz

wfuzz
    -u http://FUZZ.url.com
    -w <wordlist>
    -H "Header: value"                      # Extra headers
    -p <target-ip>:80:HTTP                  # Proxy config
    -c                                      # Output with colors

5.3. Bruteforcing with ffuf

ffuf
    -u http://FUZZ.url.com
    -w <wordlist>
    -H "Header: value"                      # Extra headers
    -b "Cookie=value;"                      # Extra cookies
    -x http://<target-ip>:80                # Proxy config
    -timeout <seconds>                      # HTTP request timeout
    -ac                                     # Auto-calibrate filtering

5.4. VHOSTs discovering

It works even without DNS service.

gobuster vhost -u <url> -w <wordlist>

6. Google dorks

List of interesting dorks for pentesters.

"search phrase"                             # Search exact phrase
filetype:pdf                                # Search filetype == pdf
site:my.site.com                            # Limit to this site
-site:my.site.com                           # Exclude this site
intitle:MyTitle                             # With specific phrase in title
inurl:example                               # With specific phrase in URL

7. Other search engines

8. Recon-NG

recon-ng -w <workspace>                     # Start with :workspace loaded
 
# Recon-ng command line
workspaces create <workspace>               # Create workspace
db schema                                   # Show db
db insert domains                           # Add domain
dashboard                                   # Summary of collected data
show <table>                                # Show table content
 
marketplace
    search <keyword>                        # Search for module by keyword
    info <module>                           # Get info about module
    install <module>                        # Install module
    remove <module>                         # Uninstall module
 
modules search                              # List installed modules
modules load <module>                       # Load module to memory
CTRL + C                                    # Unload module
options list                                # List module's options
options set <option> <value>                # Set module's option
info                                        # Get full module's info
run                                         # Execute module