I'm always excited to connect with professionals, collaborate on cybersecurity projects, or share insights.
Table of contents [Show]
As I progressed through my eLearnSecurity Junior Penetration Tester (eJPT) certification journey, I meticulously documented the most crucial commands and techniques for both passive and active information gathering. This comprehensive guide serves as a compilation of essential tools and methodologies to empower cybersecurity enthusiasts and ethical hackers in their reconnaissance endeavors.
Initiate your reconnaissance with essential commands to uncover crucial information
host domain.com // Resolves the IP address associated with the domain
whatweb domain.com // Scans and identifies web technologies used on the domain
whois domain.com // Retrieves WHOIS information for the domain
Explore the website with tools like BuiltWith, and leverage online resources such as Netcraft for consolidated data.
Delve into the domain's DNS details:
dnsrecon -d domain.com // Conducts DNS reconnaissance on the specified domain
Utilize online tools like dnsdumpster.com for a comprehensive DNS overview.
Identify potential WAF instances with:
wafw00f https://domain.com // Tests for one WAF instance
wafw00f -a https://domain.com // Tests all possible WAF instancث
Uncover subdomains with:
sublist3r -d domain.com // Searches for subdomains using sublist3r
Leverage advanced search queries for targeted insights
site:domain.com inurl:admin // Looks for the admin panel in the domain
site:*.domain.com // Searches for subdomains associated with the domain
site:domain.com filetype:pdf // Identifies PDF files on the domain
site:domain.com intitle:index of // Explores directories with enabled listing
cache:domain.com // Retrieves previous versions of the website
site:domain.com inurl:auth_user_file.txt // Searches for auth_user_file.txt
Explore the Google Hacking Database for more dorking techniques.
Discover associated emails using:
theHarvester -d domain.com -b google,linkedin // Harvests emails from Google and LinkedIn
Check for compromised credentials at
haveibeenpwned.com // Checks if the domain has been involved in data breaches
Perform DNS zone transfers for active reconnaissance:
dnsenum domain.com // Enumerates DNS information for the domain
dig axfr @nameserver domain.com // Attempts a DNS zone transfer
fierce --domain domain.com // Conducts DNS enumeration using fierce
Identify devices on the network:
sudo nmap -sn 10.0.2.15/24 // Discovers devices on the network (no port scan)
sudo netdiscover -i eth0 -r 10.0.2.15/24 // Discovers devices using an alternate technique
Scan for open ports and services:
sudo nmap 10.10.10.10 // Default nmap TCP scan (SYN scan)
sudo nmap -p 80 10.10.10.10 // Scans a specific port
sudo nmap -p 80 -F 10.10.10.10 // Fast scan option for a specific port
sudo nmap -p- 10.10.10.10 // Scans the entire TCP port range (65,535 ports)
sudo nmap -sU 10.10.10.10 // Nmap scan for UDP
sudo nmap -sV 10.10.10.10 // Configures specific services for the ports
sudo nmap -O 10.10.10.10 // Discovers the OS of the target system
Explore various Nmap options for TCP and UDP scans, service versioning, OS discovery, and more.
This comprehensive guide equips you with powerful tools and techniques for both passive and active information gathering. Tailor your approach based on your specific objectives and target environment.
Check out: Footprinting and Scanning | eJPT
Your email address will not be published. Required fields are marked *