root@phrack:~# _

Basic Information Gathering

Cheatsheet for external web application information gathering

WHOIS

Command Description
export TARGET="domain.tld" Assign target to an environment variable.
whois $TARGET WHOIS lookup for the target.
whois -h whois.arin.net "n + $TARGET" WHOIS lookup focusing on network information.
amass intel -whois -d $TARGET WHOIS data using Amass tool.
whois -h whois.radb.net -- '-i origin AS15169' Query for ASN information (example: Google’s AS15169).
curl -s http://ipinfo.io/$IP Quick IP information lookup including organization and location.

DNS Enumeration

Command Description
nslookup $TARGET Identify the A record for the target domain.
nslookup -query=A $TARGET Identify the A record for the target domain.
dig $TARGET @<nameserver/IP> Identify the A record for the target domain.
dig a $TARGET @<nameserver/IP> Identify the A record for the target domain.
nslookup -query=PTR <IP> Identify the PTR record for the target IP address.
dig -x <IP> @<nameserver/IP> Identify the PTR record for the target IP address.
nslookup -query=ANY $TARGET Identify ANY records for the target domain.
dig any $TARGET @<nameserver/IP> Identify ANY records for the target domain.
nslookup -query=TXT $TARGET Identify the TXT records for the target domain.
dig txt $TARGET @<nameserver/IP> Identify the TXT records for the target domain.
nslookup -query=MX $TARGET Identify the MX records for the target domain.
dig mx $TARGET @<nameserver/IP> Identify the MX records for the target domain.
nslookup -query=NS $TARGET Identify the NS records for the target domain.
dig ns $TARGET @<nameserver/IP> Identify the NS records for the target domain.
nslookup -query=CNAME $TARGET Identify the CNAME records for the target domain.
dig cname $TARGET @<nameserver/IP> Identify the CNAME records for the target domain.
nslookup -query=SOA $TARGET Identify the SOA records for the target domain.
dig soa $TARGET @<nameserver/IP> Identify the SOA records for the target domain.
host -t DNSKEY $TARGET Check for DNSSEC records.
dig +short DNSKEY $TARGET Check for DNSSEC records in short format.
dnsenum --dnsserver <nameserver> --enum -p 0 -s 0 -o output.xml -v $TARGET Comprehensive DNS enumeration with DNSenum.
dnsrecon -d $TARGET -D /path/to/wordlist.txt -t std --xml output.xml DNS reconnaissance with DNSrecon.

DNS Techniques

Command Description
fierce -dns $TARGET Aggressive DNS enumeration.
massdns -r /path/to/resolvers.txt -t A -o S -w results.txt domains.txt Fast DNS resolver for bulk lookups.
subfinder -d $TARGET -v Discover valid subdomains using passive online sources.
dnstwist --registered $TARGET Find look-alike domains for typosquatting and phishing detection.
amass enum -passive -d $TARGET -o out.txt Passive DNS enumeration with Amass.
amass enum -active -d $TARGET -p 80,443,8080 -o out.txt Active DNS enumeration with Amass including port scanning.

Passive Subdomain Enumeration

Resource/Command Description
VirusTotal https://www.virustotal.com/gui/home/url
Censys https://censys.io/
Crt.sh https://crt.sh/
Shodan https://www.shodan.io/
SecurityTrails https://securitytrails.com/
Spyse https://spyse.com/
Sublist3r -d $TARGET -o sublister_output.txt Enumerate subdomains using OSINT techniques.
curl -s https://sonar.omnisint.io/subdomains/{domain} \| jq -r '.[]' \| sort -u All subdomains for a given domain.
curl -s https://sonar.omnisint.io/tlds/{domain} \| jq -r '.[]' \| sort -u All TLDs found for a given domain.
curl -s https://sonar.omnisint.io/all/{domain} \| jq -r '.[]' \| sort -u All results across all TLDs for a given domain.
curl -s https://sonar.omnisint.io/reverse/{ip} \| jq -r '.[]' \| sort -u Reverse DNS lookup on IP address.
curl -s https://sonar.omnisint.io/reverse/{ip}/{mask} \| jq -r '.[]' \| sort -u Reverse DNS lookup of a CIDR range.
curl -s "https://crt.sh/?q=${TARGET}&output=json" \| jq -r '.[] \| "\(.name_value)\n\(.common_name)"' \| sort -u Certificate Transparency.
curl -s "https://api.hackertarget.com/hostsearch/?q=${TARGET}" \| cut -d',' -f1 HackerTarget API subdomain lookup.
curl -s "https://riddler.io/search/exportcsv?q=pld:${TARGET}" \| grep -Po "(([\w.-]*)\.([\w]*)\.([A-z]))\w+" Riddler.io subdomain search.
cat sources.txt \| while read source; do theHarvester -d "${TARGET}" -b $source -f "${source}-${TARGET}";done Searching for subdomains and other information on the sources provided in the source.txt list.
python3 cloudflair.py --target $TARGET Discover origin servers behind Cloudflare.
assetfinder --subs-only $TARGET Find domains and subdomains related to a given domain.
subfinder -d $TARGET -all -silent \| anew subdomains.txt Passive subdomain discovery tool using various sources.
findomain -t $TARGET -q Another subdomain enumeration tool with multiple sources.
amass enum -passive -d $TARGET -o amass_passive.txt Passive reconnaissance with Amass.

Certificate Transparency Techniques

Command Description
python3 ct-exposer.py -d $TARGET Find subdomains using certificate transparency logs.
certgraph $TARGET \| tee certgraph_output.txt Map TLS certificates to find related domains.
openssl s_client -connect ${TARGET}:443 </dev/null 2>/dev/null \| openssl x509 -noout -text \| grep DNS: Extract Subject Alternative Names from SSL certificate.
echo \| openssl s_client -servername $TARGET -connect ${TARGET}:443 2>/dev/null \| openssl x509 -noout -dates Check certificate validity period.

sources.txt

Passive Infrastructure Identification

Resource/Command Description
Netcraft https://www.netcraft.com/
WayBackMachine http://web.archive.org/
WayBackURLs https://github.com/tomnomnom/waybackurls
BuiltWith https://builtwith.com/
DNS Dumpster https://dnsdumpster.com/
Shodan https://www.shodan.io/
Censys https://censys.io/
Hunter.io https://hunter.io/ - Find email addresses of company employees
waybackurls -dates https://$TARGET > waybackurls.txt Crawling URLs from a domain with the date it was obtained.
gau -subs $TARGET \| grep -v -e .css -e .jpg -e .jpeg -e .png -e .gif -e .svg \| sort -u > gau_output.txt Get all URLs from various sources.
curl -s "https://api.hackertarget.com/pagelinks/?q=https://$TARGET" \| grep $TARGET Extract internal links from target website.
curl -s "https://api.hackertarget.com/httpheaders/?q=https://$TARGET" Show HTTP headers of the target website.
python3 cloudrecon.py -d $TARGET --asn Get ASN information for cloud providers.
grep "aws\|amazon\|S3\|s3" jsfiles.txt Search for S3 buckets in JavaScript files.
cloud_enum -k $TARGET -t Enumerate public resources in AWS, Azure, and GCP.
shodan domain $TARGET > shodan_domain.txt Get Shodan information for domain.
shodan search "hostname:$TARGET http.title:admin" Find admin panels using Shodan.
amass intel -org "$COMPANY_NAME" Discover ASN and netblocks for an organization.

IP & ASN Reconnaissance

Command Description
amass intel -d $TARGET -whois Use whois to find related domains.
amass intel -asn $ASN Find domains for a specific ASN.
amass intel -cidr $CIDR -p 80,443,8080 Find domains within a CIDR range.
bgp.he.net Border Gateway Protocol and ASN lookup.
asnlookup -o $COMPANY_NAME Find ASNs belonging to a specific organization.
metabigor net --asn $ASN Get IP ranges for a specific ASN.
curl -s "https://api.bgpview.io/asn/$ASN/prefixes" \| jq -r '.data.ipv4_prefixes[].prefix' > cidr.txt Get CIDR blocks from ASN.

Active Infrastructure Identification

Resource/Command Description
curl -I "http://${TARGET}" Display HTTP headers of the target webserver.
whatweb -a https://$TARGET -v Technology identification.
Wappalyzer https://www.wappalyzer.com/
wafw00f -v https://$TARGET WAF Fingerprinting.
Aquatone https://github.com/michenriksen/aquatone
httpx -l subdomains.txt -title -tech-detect -status-code -follow-redirects Probe for HTTP servers and detect technologies.
cat subdomain.list \| aquatone -out ./aquatone -screenshot-timeout 1000 Makes screenshots of all subdomains in the subdomain.list.
nmap -sS -p 80,443 $TARGET TCP SYN scan on common web ports.
nmap -sV --script=banner -p 80,443,8080,8443 $TARGET Service version detection with banner grabbing.
nmap -sV --script=http-headers -p 80,443,8080,8443 $TARGET Inspect HTTP headers for information leaks.
nmap -sV --script=http-enum -p 80,443,8080,8443 $TARGET Directory enumeration of web servers.
nuclei -u https://$TARGET -t nuclei-templates/technologies/ Scan for known technologies using nuclei templates.
nuclei -u https://$TARGET -t nuclei-templates/exposures/ Scan for sensitive exposure using nuclei templates.
eyewitness -f subdomains.txt --web Take screenshots of web servers from a list of targets.
python3 cmseek.py -u https://$TARGET Detect CMS and version.
python3 webtech.py -u https://$TARGET Identify web technologies, frameworks and CMS.

Network Scanning and Fingerprinting

Command Description
masscan -p1-65535 --rate=5000 $IP -oL masscan.txt Fast port scanning with masscan.
sudo nmap -sT -A -Pn -p- --min-rate=1000 -oA nmap_full $IP Full TCP port scan with service detection.
sudo nmap -sU -A --top-ports=20 -oA nmap_udp $IP UDP scan for top 20 UDP ports.
sudo nmap -sV -p 443 --script=ssl-enum-ciphers $TARGET Enumerate SSL/TLS cipher suites.
nmap --script vuln -p 80,443,8080 $TARGET Check for known vulnerabilities with NSE scripts.
nmap -sV --script http-methods --script-args http-methods.test=all $TARGET Enumerate supported HTTP methods.
nmap -p 443 --script ssl-heartbleed $TARGET Check for Heartbleed vulnerability.

Active Subdomain Enumeration

Resource/Command Description
HackerTarget https://hackertarget.com/zone-transfer/
SecLists https://github.com/danielmiessler/SecLists
nslookup -type=any -query=AXFR $TARGET nameserver.target.domain Zone Transfer using Nslookup against the target domain and its nameserver.
dig AXFR @nameserver.target.domain $TARGET Zone Transfer using dig.
fierce -dns $TARGET Fierce DNS enumeration tool.
gobuster dns -q -r "${NS}" -d "${TARGET}" -w "${WORDLIST}" -p ./patterns.txt -o "gobuster_${TARGET}.txt" Bruteforcing subdomains.
wfuzz -c -w /path/to/wordlist -u "https://$TARGET" -H "Host: FUZZ.$TARGET" --hw 290 Discover subdomains based on response differences.
amass enum -brute -w /path/to/wordlist -d $TARGET Automated subdomain enumeration with bruteforcing.
puredns bruteforce /path/to/wordlist $TARGET -r /path/to/resolvers.txt Fast DNS subdomain bruteforcer with wildcard support.
altdns -i subdomains.txt -o altdns_output.txt -w /path/to/words.txt Generate permutations of subdomains.
aiodnsbrute -w /path/to/wordlist -t 100 -o output.txt $TARGET Asynchronous DNS bruteforcing.
shuffledns -d $TARGET -w /path/to/wordlist -r /path/to/resolvers.txt Wrapper around massdns for bruteforcing.

Zone Transfer Techniques

Command Description
host -l $TARGET ns1.$TARGET Zone transfer with host command.
dnsrecon -d $TARGET -t axfr Check all name servers for zone transfers.
nmap --script=dns-zone-transfer -p 53 ns1.$TARGET Zone transfer with nmap script.
dnsenum --dnsserver ns1.$TARGET --enum -p 0 -s 0 -o output.xml -v $TARGET DNS enumeration with zone transfer attempt.

Virtual Hosts

Resource/Command Description
curl -s http://192.168.10.10 -H "Host: randomtarget.com" Changing the HOST HTTP header to request a specific domain.
cat ./vhosts.list \| while read vhost;do echo "\n********\nFUZZING: ${vhost}\n********";curl -s -I http://<IP address> -H "HOST: ${vhost}.target.domain" \| grep "Content-Length: ";done Bruteforcing for possible virtual hosts on the target domain.
ffuf -w ./vhosts -u http://<IP address> -H "HOST: FUZZ.target.domain" -fs 612 Bruteforcing for possible virtual hosts on the target domain using ffuf.
gobuster vhost -u https://$TARGET -w /path/to/vhost_wordlist.txt -k -t 50 Discover virtual hosts with gobuster.
wfuzz -c -w /usr/share/seclists/Discovery/DNS/subdomains-top1million-5000.txt --hc 404 -u https://$TARGET -H "Host: FUZZ.$TARGET" Find virtual hosts with wfuzz.
nmap -p 80 --script http-vhosts -oA vhosts $TARGET Enumerate virtual hosts with nmap.
vhostfinder -t https://$TARGET -w /usr/share/wordlists/seclists/Discovery/DNS/namelist.txt Tool for discovering vhosts.

Virtual Host Correlation

Command Description    
awk -F, '{print $1","$3}' domains.csv \| grep -E '([0-9]{1,3}\.){3}[0-9]{1,3}' Extract domain and IP from CSV file.    
for vhost in $(cat vhosts.txt); do host $vhost; done \| grep "has address" \| grep $IP Find vhosts that resolve to the same IP.    
dig +short -x $IP Reverse DNS lookup.    
cat /etc/hosts \| grep -v '^#' \| grep -v '^$' View local host file entries. $’` View local host file entries.

Crawling and Content Discovery

Resource/Command Description
ZAP https://www.zaproxy.org/
Burp Suite Spider Commercial web vulnerability scanner with crawling capabilities.
gospider -s "https://$TARGET" -o output -c 10 -d 5 Fast web spider written in Go.
hakrawler -url https://$TARGET -depth 3 -plain Simple crawler designed for easy tool chaining.
katana -u https://$TARGET -jc -o crawled.txt Fast crawler with smart navigation and web technologies parsing.
ffuf -recursion -recursion-depth 1 -u http://192.168.10.10/FUZZ -w /opt/useful/SecLists/Discovery/Web-Content/raft-small-directories-lowercase.txt Discovering files and folders that cannot be spotted by browsing the website.
ffuf -w ./folders.txt:FOLDERS,./wordlist.txt:WORDLIST,./extensions.txt:EXTENSIONS -u http://www.target.domain/FOLDERS/WORDLISTEXTENSIONS Mutated bruteforcing against the target web server.
gobuster dir -u https://$TARGET -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -o gobuster_results.txt Directory enumeration with gobuster.
dirb https://$TARGET /usr/share/dirb/wordlists/common.txt -o dirb_results.txt Discover directories using dirb.
dirsearch -u https://$TARGET -e php,asp,aspx,jsp,html,zip,jar -t 20 Advanced web path scanner.
feroxbuster -u https://$TARGET -x php,html,js,txt -w /usr/share/seclists/Discovery/Web-Content/raft-medium-directories.txt Fast and comprehensive content discovery tool.
nikto -h https://$TARGET -output nikto_$TARGET.html Web server scanner that checks for vulnerabilities and misconfigurations.

Advanced Content Discovery

Command Description
python3 paramspider.py -d $TARGET --level high -o params.txt Find URL parameters for web applications.
python3 linkfinder.py -i https://$TARGET -d -o cli Discover endpoints and their parameters in JavaScript files.
python3 secretfinder.py -i https://$TARGET/main.js -o cli Find sensitive data like API keys and passwords in JavaScript files.
gau $TARGET \| grep -E "\.js$" \| httpx -silent \| anew js_urls.txt Find JavaScript files from various sources.
python3 xnLinkFinder.py -i https://$TARGET -sf js -d 3 -o links.txt Extract endpoints from JavaScript files.
nuclei -u https://$TARGET -t nuclei-templates/exposures/ -o nuclei_exposures.txt Scan using nuclei templates for exposures.
gf xss params.txt \| anew xss_params.txt Filter parameters vulnerable to XSS.

Information Consolidation and Reporting

Command Description
recon-ng Full-featured reconnaissance framework with many modules.
python3 osmedeus.py -t $TARGET Automated offensive security framework for reconnaissance.
reconftw -d $TARGET -a Automate the entire reconnaissance process.
python3 photon.py -u https://$TARGET -o output_dir -t 10 Fast crawler designed for OSINT with data extraction capabilities.
sudo nmap -A $TARGET -oA nmap_output Output scan results in all formats for documentation.
jq -r .host.name[0].name recon_output.json Process and extract specific information from JSON output.
python3 -m http.server 8000 Start a web server to share files and reports.
grep -r "password\|key\|secret\|credential" --include="*.js" . Search for sensitive information in discovered files.
git-secrets --scan Scan for secrets accidentally committed to git repositories.

Integration with Other Tools

Command Description
python3 TruffleHog.py --regex --entropy=True https://github.com/user/repo Scan for secrets in git repositories.
python3 striker.py $TARGET Comprehensive recon and vulnerability scanner.
nuclei -l subdomains.txt -t nuclei-templates/ -o nuclei_results.txt Scan all discovered subdomains with nuclei.
shodan download $TARGET_results "org:$TARGET" Download all Shodan data for an organization.
python3 threader.py -t 20 input.txt wget Run commands in parallel on a list of targets.
interlace -tL targets.txt -cL commands.txt -threads 10 -o output_dir Run commands against multiple targets efficiently.
******
Written by Shain Lakin on 06 July 2022