Tools

Passive Recon

nslookup

• nslookup <domain>

host

• host <domain>

dnsrecon

• dnsrecon -d <domain>

whois

• whois <domain/ip>

whatweb

• whatweb <domain>

wafw00f

• wafw00f <domain>

httrack

• use kali app -> apt-get install webhttrack

sublist3r

• sublist3r -d <domain> -e google, yahoo

theHarvester

• theharvester -d <domain/companyname> -b <source>

Leaked Passwords

• haveibeenpwned

Extensions/Links

• builtwith

• dnsdumpster

• wappalyzer

• google dorks -> GHDB

• waybackmachine

Active Recon

nmap

• nmap -sn <ip>/<subnet> <-> host discovery

• sudo nmap -sS -T4 -p- -A <ip address>

dnsenum

• dnsenum <domain>

dig

• dig axfr(for zone transfer) @<NS-Server> <domain-name>

netdiscover

• netdiscover -i <interface> -r <p/subnet>