Information Gathering - web edition

WHOIS

Command	Description
export TARGET="domain.tld"	Assign target to an environment variable.
whois $TARGET	WHOIS lookup for the target.

---

DNS Enumeration

Command	Description
nslookup $TARGET	Identify the A record for the target domain.
nslookup -query=A $TARGET	Identify the A record for the target domain.
dig $TARGET @<nameserver/IP>	Identify the A record for the target domain.
dig a $TARGET @<nameserver/IP>	Identify the A record for the target domain.
nslookup -query=PTR <IP>	Identify the PTR record for the target IP address.
dig -x <IP> @<nameserver/IP>	Identify the PTR record for the target IP address.
nslookup -query=ANY $TARGET	Identify ANY records for the target domain.
dig any $TARGET @<nameserver/IP>	Identify ANY records for the target domain.
nslookup -query=TXT $TARGET	Identify the TXT records for the target domain.
dig txt $TARGET @<nameserver/IP>	Identify the TXT records for the target domain.
nslookup -query=MX $TARGET	Identify the MX records for the target domain.
dig mx $TARGET @<nameserver/IP>	Identify the MX records for the target domain.

---

Passive Subdomain Enumeration

Resource/Command	Description
VirusTotal	https://www.virustotal.com/gui/home/url
Censys	https://censys.io/
Crt.sh	https://crt.sh/
curl -s https://sonar.omnisint.io/subdomains/{domain} | jq -r '.[]' | sort -u	All subdomains for a given domain.
curl -s https://sonar.omnisint.io/tlds/{domain} | jq -r '.[]' | sort -u	All TLDs found for a given domain.
curl -s https://sonar.omnisint.io/all/{domain} | jq -r '.[]' | sort -u	All results across all TLDs for a given domain.
curl -s https://sonar.omnisint.io/reverse/{ip} | jq -r '.[]' | sort -u	Reverse DNS lookup on IP address.
curl -s https://sonar.omnisint.io/reverse/{ip}/{mask} | jq -r '.[]' | sort -u	Reverse DNS lookup of a CIDR range.
curl -s "https://crt.sh/?q=${TARGET}&output=json" | jq -r '.[] | "\(.name_value)\n\(.common_name)"' | sort -u	Certificate Transparency.
cat sources.txt | while read source; do theHarvester -d "${TARGET}" -b $source -f "${source}-${TARGET}";done	Searching for subdomains and other information on the sources provided in the source.txt list.

Sources.txt

Code: txt

baidu
bufferoverun
crtsh
hackertarget
otx
projecdiscovery
rapiddns
sublist3r
threatcrowd
trello
urlscan
vhost
virustotal
zoomeye

---

Passive Infrastructure Identification

Resource/Command	Description
Netcraft	https://www.netcraft.com/
WayBackMachine	http://web.archive.org/
WayBackURLs	https://github.com/tomnomnom/waybackurls
waybackurls -dates https://$TARGET > waybackurls.txt	Crawling URLs from a domain with the date it was obtained.

---

Active Infrastructure Identification

Resource/Command	Description
curl -I "http://${TARGET}"	Display HTTP headers of the target webserver.
whatweb -a https://www.facebook.com -v	Technology identification.
Wappalyzer	https://www.wappalyzer.com/
wafw00f -v https://$TARGET	WAF Fingerprinting.
Aquatone	https://github.com/michenriksen/aquatone
cat subdomain.list | aquatone -out ./aquatone -screenshot-timeout 1000	Makes screenshots of all subdomains in the subdomain.list.

---

Active Subdomain Enumeration

Resource/Command	Description
HackerTarget	https://hackertarget.com/zone-transfer/
SecLists	https://github.com/danielmiessler/SecLists
nslookup -type=any -query=AXFR $TARGET nameserver.target.domain	Zone Transfer using Nslookup against the target domain and its nameserver.
gobuster dns -q -r "${NS}" -d "${TARGET}" -w "${WORDLIST}" -p ./patterns.txt -o "gobuster_${TARGET}.txt"	Bruteforcing subdomains.

---

Virtual Hosts

Resource/Command	Description
curl -s http://192.168.10.10 -H "Host: randomtarget.com"	Changing the HOST HTTP header to request a specific domain.
cat ./vhosts.list | while read vhost;do echo "\n********\nFUZZING: ${vhost}\n********";curl -s -I http://<IP address> -H "HOST: ${vhost}.target.domain" | grep "Content-Length: ";done	Bruteforcing for possible virtual hosts on the target domain.
ffuf -w ./vhosts -u http://<IP address> -H "HOST: FUZZ.target.domain" -fs 612	Bruteforcing for possible virtual hosts on the target domain using ffuf.

---

Crawling

Resource/Command	Description
ZAP	https://www.zaproxy.org/
ffuf -recursion -recursion-depth 1 -u http://192.168.10.10/FUZZ -w /opt/useful/SecLists/Discovery/Web-Content/raft-small-directories-lowercase.txt	Discovering files and folders that cannot be spotted by browsing the website.
ffuf -w ./folders.txt:FOLDERS,./wordlist.txt:WORDLIST,./extensions.txt:EXTENSIONS -u http://www.target.domain/FOLDERS/WORDLISTEXTENSIONS	Mutated bruteforcing against the target web server.