Information Gathering

Passive Information Gathering

# gathering basic information about a domain name
whois megacorpone.com -h 192.168.0.1
# reverse lookup
whois 38.200.0.1 -h 192.168.0.1

# Google Hacking
https://www.exploit-db.com/google-hacking-database
https://dorksearch.com
https://ahrefs.com/blog/google-advanced-search-operators/

# Netcraft
https://searchdns.netcraft.com

# Open-Source Code
https://github.com/gitleaks/gitleaks
https://github.com/michenriksen/gitrob

# Shodan
ssl:hostname:megacorpone.com
hostname:megacorpone.com

# Security Headers and SSL/TLS
https://securityheaders.com
https://www.ssllabs.com

Infrastructure-based Enumeration

# Certificate Transparency
curl -s https://crt.sh/\?q\=domain.com\&output\=json | jq . | grep name | cut -d":" -f2 | grep -v "CN=" | cut -d'"' -f2 | awk '{gsub(/\\n/,"\n");}1;' | sort -u

# grep for accessible subdomains
for i in $(cat subdomainlist);do host $i | grep "has address" | grep domain.com | cut -d" " -f1,4;done

# Scan each IP address in a list using Shodan
for i in $(cat ip-addresses.txt);do shodan host $i;done

# Cloud Resources
https://domain.glass
https://buckets.grayhatwarfare.com

# Google dorking
intext:domain.com inurl:blob.core.widows.net
intext:domain.com inurl:amazonaws.com

LLM-Powered Passive Information Gathering

- Can you print out all the public information about company structure and employees of inlanefreight?
- Can you provide the best 20 google dorks for inlanefreight.com website tailored for a penetration test
- Retrieve the technology stack of the inlanefreight.com website

Active Information Gathering

# TCP port scan with nc
nc -nvv -w 1 -z 10.0.0.1  440-450

# UDP port scan with nc
nc -nv -u -z -w 1 10.0.0.1 120-123

# TCP port scan with PS
1..1024 | % {echo ((New-Object Net.Sockets.TcpClient).Connect("10.0.0.1", $_)) "TCP port $_ is open"} 2>$null

PreviousUseful commandsNextNetwork Enumeration

Last updated