Skip to content

Latest commit

 

History

History
114 lines (92 loc) · 5.41 KB

cheatsheet-info gathering.md

File metadata and controls

114 lines (92 loc) · 5.41 KB

WHOIS

Command Description
export TARGET="domain.tld" Assign target to an environment variable.
whois $TARGET WHOIS lookup for the target.

DNS Enumeration

Command Description
nslookup $TARGET Identify the A record for the target domain.
nslookup -query=A $TARGET Identify the A record for the target domain.
dig $TARGET @<nameserver/IP> Identify the A record for the target domain.
dig a $TARGET @<nameserver/IP> Identify the A record for the target domain.
nslookup -query=PTR <IP> Identify the PTR record for the target IP address.
dig -x <IP> @<nameserver/IP> Identify the PTR record for the target IP address.
nslookup -query=ANY $TARGET Identify ANY records for the target domain.
dig any $TARGET @<nameserver/IP> Identify ANY records for the target domain.
nslookup -query=TXT $TARGET Identify the TXT records for the target domain.
dig txt $TARGET @<nameserver/IP> Identify the TXT records for the target domain.
nslookup -query=MX $TARGET Identify the MX records for the target domain.
dig mx $TARGET @<nameserver/IP> Identify the MX records for the target domain.

Passive Subdomain Enumeration

Resource/Command Description
VirusTotal https://www.virustotal.com/gui/home/url
Censys https://censys.io/
Crt.sh https://crt.sh/
curl -s https://sonar.omnisint.io/subdomains/{domain} | jq -r '.[]' | sort -u All subdomains for a given domain.
curl -s https://sonar.omnisint.io/tlds/{domain} | jq -r '.[]' | sort -u All TLDs found for a given domain.
curl -s https://sonar.omnisint.io/all/{domain} | jq -r '.[]' | sort -u All results across all TLDs for a given domain.
curl -s https://sonar.omnisint.io/reverse/{ip} | jq -r '.[]' | sort -u Reverse DNS lookup on IP address.
curl -s https://sonar.omnisint.io/reverse/{ip}/{mask} | jq -r '.[]' | sort -u Reverse DNS lookup of a CIDR range.
curl -s "https://crt.sh/?q=${TARGET}&output=json" | jq -r '.[] | "\(.name_value)\n\(.common_name)"' | sort -u Certificate Transparency.
cat sources.txt | while read source; do theHarvester -d "${TARGET}" -b $source -f "${source}-${TARGET}";done Searching for subdomains and other information on the sources provided in the source.txt list.

Sources.txt

baidu
bufferoverun
crtsh
hackertarget
otx
projecdiscovery
rapiddns
sublist3r
threatcrowd
trello
urlscan
vhost
virustotal
zoomeye

Passive Infrastructure Identification

Resource/Command Description
Netcraft https://www.netcraft.com/
WayBackMachine http://web.archive.org/
WayBackURLs https://github.com/tomnomnom/waybackurls
waybackurls -dates https://$TARGET > waybackurls.txt Crawling URLs from a domain with the date it was obtained.

Active Infrastructure Identification

Resource/Command Description
curl -I "http://${TARGET}" Display HTTP headers of the target webserver.
whatweb -a https://www.facebook.com -v Technology identification.
Wappalyzer https://www.wappalyzer.com/
wafw00f -v https://$TARGET WAF Fingerprinting.
Aquatone https://github.com/michenriksen/aquatone
cat subdomain.list | aquatone -out ./aquatone -screenshot-timeout 1000 Makes screenshots of all subdomains in the subdomain.list.

Active Subdomain Enumeration

Resource/Command Description
HackerTarget https://hackertarget.com/zone-transfer/
SecLists https://github.com/danielmiessler/SecLists
nslookup -type=any -query=AXFR $TARGET nameserver.target.domain Zone Transfer using Nslookup against the target domain and its nameserver.
gobuster dns -q -r "${NS}" -d "${TARGET}" -w "${WORDLIST}" -p ./patterns.txt -o "gobuster_${TARGET}.txt" Bruteforcing subdomains.

Virtual Hosts

Resource/Command Description
curl -s http://192.168.10.10 -H "Host: randomtarget.com" Changing the HOST HTTP header to request a specific domain.
cat ./vhosts.list | while read vhost;do echo "\n********\nFUZZING: ${vhost}\n********";curl -s -I http://<IP address> -H "HOST: ${vhost}.target.domain" | grep "Content-Length: ";done Bruteforcing for possible virtual hosts on the target domain.
ffuf -w ./vhosts -u http://<IP address> -H "HOST: FUZZ.target.domain" -fs 612 Bruteforcing for possible virtual hosts on the target domain using ffuf.

Crawling

Resource/Command Description
ZAP https://www.zaproxy.org/
ffuf -recursion -recursion-depth 1 -u http://192.168.10.10/FUZZ -w /opt/useful/SecLists/Discovery/Web-Content/raft-small-directories-lowercase.txt Discovering files and folders that cannot be spotted by browsing the website.
ffuf -w ./folders.txt:FOLDERS,./wordlist.txt:WORDLIST,./extensions.txt:EXTENSIONS -u http://www.target.domain/FOLDERS/WORDLISTEXTENSIONS Mutated bruteforcing against the target web server.