Introduction

As I progressed through my eLearnSecurity Junior Penetration Tester (eJPT) certification journey, I meticulously documented the most crucial commands and techniques for both passive and active information gathering. This comprehensive guide serves as a compilation of essential tools and methodologies to empower cybersecurity enthusiasts and ethical hackers in their reconnaissance endeavors.

Passive Information Gathering

Whois and More Reconnaissance

Initiate your reconnaissance with essential commands to uncover crucial information

host domain.com // Resolves the IP address associated with the domain

whatweb domain.com // Scans and identifies web technologies used on the domain

whois domain.com // Retrieves WHOIS information for the domain

Explore the website with tools like BuiltWith, and leverage online resources such as Netcraft for consolidated data.

DNS Reconnaissance

Delve into the domain's DNS details:

dnsrecon -d domain.com // Conducts DNS reconnaissance on the specified domain

Utilize online tools like dnsdumpster.com for a comprehensive DNS overview.

Web Application Firewall (WAF) Detection

Identify potential WAF instances with:

wafw00f https://domain.com // Tests for one WAF instance
wafw00f -a https://domain.com // Tests all possible WAF instancث

Subdomain Enumeration

Uncover subdomains with:

sublist3r -d domain.com // Searches for subdomains using sublist3r

Google Dorking

Leverage advanced search queries for targeted insights

site:domain.com inurl:admin // Looks for the admin panel in the domain

site:*.domain.com // Searches for subdomains associated with the domain

site:domain.com filetype:pdf // Identifies PDF files on the domain

site:domain.com intitle:index of // Explores directories with enabled listing

cache:domain.com // Retrieves previous versions of the website

site:domain.com inurl:auth_user_file.txt // Searches for auth_user_file.txt

Explore the Google Hacking Database for more dorking techniques.

Email Harvesting

Discover associated emails using:

theHarvester -d domain.com -b google,linkedin // Harvests emails from Google and LinkedIn

Leaked Password Databases

Check for compromised credentials at

haveibeenpwned.com // Checks if the domain has been involved in data breaches

Active Information Gathering

DNS Zone Transfers

Perform DNS zone transfers for active reconnaissance:

dnsenum domain.com // Enumerates DNS information for the domain

dig axfr @nameserver domain.com // Attempts a DNS zone transfer

fierce --domain domain.com // Conducts DNS enumeration using fierce

Host Discovery

Identify devices on the network:

sudo nmap -sn 10.0.2.15/24 // Discovers devices on the network (no port scan)

sudo netdiscover -i eth0 -r 10.0.2.15/24 // Discovers devices using an alternate technique

Port Scanning

Scan for open ports and services:

sudo nmap 10.10.10.10 // Default nmap TCP scan (SYN scan)

sudo nmap -p 80 10.10.10.10 // Scans a specific port

sudo nmap -p 80 -F 10.10.10.10 // Fast scan option for a specific port

sudo nmap -p- 10.10.10.10 // Scans the entire TCP port range (65,535 ports)

sudo nmap -sU 10.10.10.10 // Nmap scan for UDP

sudo nmap -sV 10.10.10.10 // Configures specific services for the ports

sudo nmap -O 10.10.10.10 // Discovers the OS of the target system

Explore various Nmap options for TCP and UDP scans, service versioning, OS discovery, and more.

This comprehensive guide equips you with powerful tools and techniques for both passive and active information gathering. Tailor your approach based on your specific objectives and target environment.

Check out: Footprinting and Scanning | eJPT