Table of contents [Show]
Introduction
As I progressed through my eLearnSecurity Junior Penetration Tester (eJPT) certification journey, I meticulously documented the most crucial commands and techniques for both passive and active information gathering. This comprehensive guide serves as a compilation of essential tools and methodologies to empower cybersecurity enthusiasts and ethical hackers in their reconnaissance endeavors.
Passive Information Gathering
Whois and More Reconnaissance
Initiate your reconnaissance with essential commands to uncover crucial information
host domain.com // Resolves the IP address associated with the domainwhatweb domain.com // Scans and identifies web technologies used on the domainwhois domain.com // Retrieves WHOIS information for the domainExplore the website with tools like BuiltWith, and leverage online resources such as Netcraft for consolidated data.
DNS Reconnaissance
Delve into the domain's DNS details:
dnsrecon -d domain.com // Conducts DNS reconnaissance on the specified domainUtilize online tools like dnsdumpster.com for a comprehensive DNS overview.
Web Application Firewall (WAF) Detection
Identify potential WAF instances with:
wafw00f https://domain.com // Tests for one WAF instance
wafw00f -a https://domain.com // Tests all possible WAF instancث
Subdomain Enumeration
Uncover subdomains with:
sublist3r -d domain.com // Searches for subdomains using sublist3r
Google Dorking
Leverage advanced search queries for targeted insights
site:domain.com inurl:admin // Looks for the admin panel in the domainsite:*.domain.com // Searches for subdomains associated with the domainsite:domain.com filetype:pdf // Identifies PDF files on the domainsite:domain.com intitle:index of // Explores directories with enabled listingcache:domain.com // Retrieves previous versions of the websitesite:domain.com inurl:auth_user_file.txt // Searches for auth_user_file.txtExplore the Google Hacking Database for more dorking techniques.
Email Harvesting
Discover associated emails using:
theHarvester -d domain.com -b google,linkedin // Harvests emails from Google and LinkedIn
Leaked Password Databases
Check for compromised credentials at
haveibeenpwned.com // Checks if the domain has been involved in data breachesActive Information Gathering
DNS Zone Transfers
Perform DNS zone transfers for active reconnaissance:
dnsenum domain.com // Enumerates DNS information for the domaindig axfr @nameserver domain.com // Attempts a DNS zone transferfierce --domain domain.com // Conducts DNS enumeration using fierce
Host Discovery
Identify devices on the network:
sudo nmap -sn 10.0.2.15/24 // Discovers devices on the network (no port scan)sudo netdiscover -i eth0 -r 10.0.2.15/24 // Discovers devices using an alternate technique
Port Scanning
Scan for open ports and services:
sudo nmap 10.10.10.10 // Default nmap TCP scan (SYN scan)sudo nmap -p 80 10.10.10.10 // Scans a specific portsudo nmap -p 80 -F 10.10.10.10 // Fast scan option for a specific portsudo nmap -p- 10.10.10.10 // Scans the entire TCP port range (65,535 ports)sudo nmap -sU 10.10.10.10 // Nmap scan for UDPsudo nmap -sV 10.10.10.10 // Configures specific services for the portssudo nmap -O 10.10.10.10 // Discovers the OS of the target systemExplore various Nmap options for TCP and UDP scans, service versioning, OS discovery, and more.
This comprehensive guide equips you with powerful tools and techniques for both passive and active information gathering. Tailor your approach based on your specific objectives and target environment.
Check out: Footprinting and Scanning | eJPT
Leave a comment
Your email address will not be published. Required fields are marked *