Tools
Passive Recon
nslookup
nslookup <domain>
host
host <domain>
dnsrecon
dnsrecon -d <domain>
whois
whois <domain/ip>
whatweb
whatweb <domain>
wafw00f
wafw00f <domain>
httrack
use kali app -> apt-get install webhttrack
sublist3r
sublist3r -d <domain> -e google, yahoo
theHarvester
theharvester -d <domain/companyname> -b <source>
Leaked Passwords
Extensions/Links
builtwith
wappalyzer
google dorks -> GHDB
waybackmachine
Active Recon
nmap
nmap -sn <ip>/<subnet> <-> host discovery
sudo nmap -sS -T4 -p- -A <ip address>
dnsenum
dnsenum <domain>
dig
dig axfr(for zone transfer) @<NS-Server> <domain-name>
netdiscover
netdiscover -i <interface> -r <p/subnet>
Last updated