Active Reconnaissance:

Goal: Direct interaction with the target to gather detailed information.

Tools: Nmap (port scanning, OS fingerprinting), Nessus (vulnerability scanning), Burp Suite
(web spidering), Netcat (banner grabbing).

Passive Reconnaissance:
Goal: Gathering publicly available information without direct interaction.
Tools: Google (search queries), shodan, WHOIS (domain info), dig/nslookup (DNS
analysis), Wayback Machine (web archive), LinkedIn (social media), OSINT, GitHub (code
repositories).

WHOIS:
whois inlanefreight.com

DNS:
hosts file:
Maps hostnames to IP addresses, bypassing DNS for domain resolution located in
/etc/hosts .

Zone:

a domain and its subdomains.

Zone File:
Defines resource records for a domain, specifying details like IP addresses, mail servers, etc.

Tool Key Features Use Cases

dig Versatile, supports multiple query DNS queries, troubleshooting,
types and detailed output. zone transfers.
Tool Key Features Use Cases
nslookup Simpler, mainly for A, AAAA, MX Basic DNS checks and mail
records. server queries.
host Quick, concise DNS lookup tool. Fast checks of A, AAAA, and
MX records.
dnsenum Automated DNS enumeration, Subdomain discovery and DNS
supports brute-forcing. info gathering.
fierce DNS reconnaissance and subdomain Identifying subdomains and
enumeration. targets.
dnsrecon Multiple DNS techniques, various Comprehensive DNS
output formats. enumeration and analysis.
theHarvester Gathers OSINT, including DNS and Collecting emails and domain-
email data. related info.
Online DNS User-friendly DNS lookup interfaces. Quick DNS lookups without
Services command-line tools.

dig commands:

dig domain.com Performs a default A record lookup.

dig domain.com A Gets the IPv4 address (A record) for the domain.
dig domain.com AAAA Gets the IPv6 address (AAAA record) for the domain.
dig domain.com MX Finds the mail servers (MX records) for the domain.
dig domain.com NS Shows the authoritative name servers for the domain.
dig domain.com TXT Retrieves any TXT records for the domain.
dig domain.com CNAME Gets the CNAME (alias) record for the domain.
dig domain.com SOA Retrieves the SOA (start of authority) record for the
domain.
dig @1.1.1.1 domain.com Queries a specific name server (e.g., 1.1.1.1).
dig +trace domain.com Shows the DNS lookup path from root to the domain.
dig -x 192.168.1.1 Performs reverse lookup to find the domain name for an
IP address.
dig +short domain.com Provides a simple, short answer to the query.
dig +noall +answer Shows only the answer part of the query.
domain.com

dig domain.com ANY Retrieves all DNS records for the domain (often ignored
by servers).
Subdomain bruteforcing:

Tool Description
dnsenum Tool for subdomain discovery with dictionary and brute-force support.
fierce Easy tool for recursive subdomain discovery and wildcard detection.
dnsrecon Versatile tool with multiple DNS techniques and customizable output.
amass Actively maintained tool for subdomain discovery with broad data sources.
assetfinder Simple, fast tool for quick subdomain scans.
puredns Flexible DNS brute-forcing tool with result filtering.

dnsenum --enum target.com -f /usr/share/seclists/Discovery/DNS/subdomains-

top1million-110000.txt -r

Zone transfer:
A DNS zone transfer copies DNS records between servers for consistency and redundancy. If
unsecured, unauthorized access can expose subdomains and sensitive DNS data.

dig axfr @nsztm1.digi.ninja zonetransfer.me

Virtual Hosts:

Virtual hosts allow multiple websites to be hosted on one server.

Difference between subdomains and virtual hosts:

Subdomain is a second-level domain that is part of a larger domain.

Virtual Host is an Internet hosting service that allows organizations to host their websites
on a single server.
Virtual Host Discovery Tools:

Tool Description Features

Gobuster Multi-purpose tool for directory/file Fast, supports multiple HTTP
brute-forcing and virtual host methods, can use custom wordlists.
discovery.
Feroxbuster Rust-based tool similar to Gobuster, Supports recursion, wildcard
known for speed and flexibility. detection, and advanced filtering.
ffuf Fast web fuzzer, effective for virtual Highly customizable, supports
host discovery via Host header wordlists, filtering, and multiple fuzz
fuzzing. modes.

gobuster:
gobuster vhost -u http://<target_IP_address> -w <wordlist_file> --append-domain
ex: gobuster vhost -u http://target.com:53906 -w
/usr/share/seclists/Discovery/DNS/subdomains-top1million-110000.txt --append-
domain

-t to increase the number of threads for faster scanning.

The -k flag can ignore SSL/TLS certificate errors.
You can use the -o flag to save the output.

Searching CT Logs:

Tool Key Features Use Cases Pros Cons

crt.sh User-friendly web Quick and easy Free, easy to Limited
interface, simple searches, identifying use, no filtering and
search by domain, subdomains, checking registration analysis
displays certificate certificate issuance required. options.
details, SAN entries. history.
 Tool Key Features Use Cases Pros Cons
Censys Powerful search In-depth analysis of Extensive Requires
engine for internet certificates, identifying data and registration
connected misconfigurations, filtering (free tier
devices,advanced finding related options, API available).
filtering by domain, IP, certificates and hosts. access.
certificate attributes.

crt.sh lookup:
curl -s "https://crt.sh/?q=domain.com&output=json" | jq -r '.[] |
select(.name_value | contains("dev")) | .name_value' | sort -u
-> finding subdomains containing dev in domain.com

Fingerprinting:
Techniques:
Banner Grabbing , Analysing HTTP Headers , Probing for Specific Responses ,
Analysing Page Content ...

Tool Description Features

Wappalyzer Browser extension for website Identifies CMSs, frameworks, analytics,
tech profiling. and more.
BuiltWith Web tech profiler with detailed Free and paid plans with varying detail
reports. levels.
WhatWeb Command-line website Uses a database of signatures to
fingerprinting tool. identify web technologies.
Nmap Network scanner for service and Supports NSE scripts for specialized
OS fingerprinting. fingerprinting.
Netcraft Web security service with tech Provides details on tech stack, hosting,
and security reports. and security posture.
wafw00f Command-line tool for identifying Detects WAF presence and details its
WAFs. type and config.

Banner Grabbing:
curl -I target.com
-> I flag (or --head ) to fetch only the HTTP headers.

Note:

Banner grabbing on variations like target.com , www.target.com , and

https://www.target.com may yield different results due to different server configurations.
Test multiple versions for better coverage.

Wafw00f:

wafw00f target.com
-> wafw00f To detect the presence of a WAF.

Nikto:

nikto -h inlanefreight.com -Tuning b

-> Tuning b flag tells Nikto to only run the Software Identification modules.

Crawling:
robots.txt
A file that instructs web crawlers which pages or sections of a site to crawl or avoid.

.well-known
A directory used for standardized files that provide information about a server or service, often
for security or configuration purposes.

Well-Known URIs

security.txt: Contains contact info for security researchers (Permanent, RFC 9116)
/.well-known/change-password: Standard URL for password change page (Provisional)
openid-configuration: Configuration details for OpenID Connect (Permanent, RFC 7591)
assetlinks.json: Verifies digital asset ownership (Permanent, RFC 8030)
mta-sts.txt: Policy for MTA-STS email security (Permanent, RFC 8461)
Popular Web Crawlers:

Burp Suite Spider: Active crawler for mapping web apps and uncovering vulnerabilities.
OWASP ZAP: Free, open-source security scanner with a spider for crawling and
vulnerability detection.
Scrapy: Python framework for custom web crawlers, great for extracting structured data. ->
ReconSpider
Apache Nutch: Scalable, open-source Java crawler for large-scale web or domain crawls.

Search Engine Discovery / OSINT:

Search Operators:

Operator Operator Example Example Description

Description
site: Limits results site:example.com Find all publicly
to a specific accessible pages on
website or example.com.
domain.
inurl: Finds pages inurl:login Search for login pages
with a specific on any website.
term in the
URL.
filetype: Searches for filetype:pdf Find downloadable
files of a PDF documents.
particular type.
intitle: Finds pages intitle:"confidential Look for documents
with a specific report" titled "confidential
term in the title. report" or similar
variations.
intext: or Searches for a intext:"password reset" Identify webpages
inbody: term within the containing the term
body text of “password reset”.
pages.
cache: Displays the cache:example.com View the cached
cached version of
version of a
Operator Operator Example Example Description
Description
webpage (if example.com to see its
available). previous content.
link: Finds pages link:example.com Identify websites
that link to a linking to example.com.
specific
webpage.
related: Finds related:example.com Discover websites
websites similar to example.com.
related to a
specific
webpage.
info: Provides a info:example.com Get basic details about
summary of example.com, such as
information its title and description.
about a
webpage.
define: Provides define:phishing Get a definition of
definitions of a "phishing" from various
word or sources.
phrase.
numrange: Searches for site:example.com Find pages on
numbers numrange:1000-2000 example.com
within a containing numbers
specific range. between 1000 and
2000.
allintext: Finds pages allintext:admin password Search for pages
containing all reset containing both
specified "admin" and "password
words in the reset" in the body text.
body text.
allinurl: Finds pages allinurl:admin panel Look for pages with
containing all "admin" and "panel" in
specified the URL.
words in the
URL.
allintitle: Finds pages allintitle:confidential Search for pages with
containing all report 2023 "confidential," "report,"
specified and "2023" in the title.
words in the
title.
Operator Operator Example Example Description
Description
AND Narrows site:example.com AND Find admin or login
results by (inurl:admin OR pages specifically on
requiring all inurl:login) example.com.
terms to be
present.
OR Broadens "linux" OR "ubuntu" OR Search for webpages
results by "debian" mentioning Linux,
including Ubuntu, or Debian.
pages with
any of the
terms.
NOT Excludes site:bank.com NOT Find pages on
results inurl:login bank.com excluding
containing the login pages.
specified term.
* (wildcard) Represents site:socialnetwork.com Search for user
any character filetype:pdf user* manual manuals (user guide,
or word. user handbook) in PDF
format on
socialnetwork.com.
.. (range Finds results site:ecommerce.com Look for products
search) within a "price" 100..500 priced between 100
specified and 500 on an e-
numerical commerce website.
range.
" " Searches for "information security Find documents
(quotation exact phrases. policy" mentioning the exact
marks) phrase "information
security policy".
- (minus Excludes site:news.com - Search for news
sign) terms from the inurl:sports articles on news.com
search results. excluding sports-
related content.

Google Dorking:

Finding Login Pages:

site:example.com inurl:login
site:example.com (inurl:login OR inurl:admin)
Identifying Exposed Files:
 site:example.com filetype:pdf
site:example.com (filetype:xls OR filetype:docx)
Uncovering Configuration Files:
site:example.com inurl:config.php
site:example.com (ext:conf OR ext:cnf) (searches for extensions commonly
used for configuration files)
Locating Database Backups:
site:example.com inurl:backup
site:example.com filetype:sql

Web archives:
Web archives like the Wayback Machine store snapshots of websites over time, allowing users
to access historical versions of web pages. In web pentesting, they’re important for discovering
vulnerabilities, outdated configurations, and identifying exposed sensitive data from previous
versions of a site.

Automating recon:
Reconnaissance Frameworks:

FinalRecon: Python tool for SSL, Whois, header analysis, and crawling.
Recon-ng: Python framework for DNS, subdomain discovery, and vulnerability exploitation.
theHarvester: Gathers emails, subdomains, and hosts from public sources.
SpiderFoot: OSINT tool for collecting IPs, domains, and social media data.
OSINT Framework: Collection of tools for open-source intelligence from various sources.

FinalRecon:

Option Description
-h , --help Show the help message and exit.
--url Specify the target URL.
--headers Retrieve header information for the target URL.
Option Description
--sslinfo Get SSL certificate information for the target URL.
--whois Perform a Whois lookup for the target domain.
--crawl Crawl the target website.
--dns Perform DNS enumeration on the target domain.
--sub Enumerate subdomains for the target domain.
--dir Search for directories on the target website.
--wayback Retrieve Wayback URLs for the target.
--ps Perform a fast port scan on the target.
--full Perform a full reconnaissance scan on the target.