Scribd Logo
Upload

Welcome to Scribd!

  • 8 views

    Information Gathering Web Edition Module Cheat Sheet

    Uploaded by

    rolandontheropes
    This document provides a cheat sheet of commands and resources for gathering information from the web such as performing WHOIS lookups, DNS enumeration, discovering subdomains, identifying infrastructure, crawling websites, and more.

    Copyright:

    © All Rights Reserved
    Download as PDF, TXT or read online from Scribd

    Information Gathering Web Edition Module Cheat Sheet

    Uploaded by

    rolandontheropes
    8 views5 pages
    This document provides a cheat sheet of commands and resources for gathering information from the web such as performing WHOIS lookups, DNS enumeration, discovering subdomains, identifying infrastructure, crawling websites, and more.

    Original Title

    Information_Gathering_Web_Edition_Module_Cheat_Sheet

    Copyright

    © © All Rights Reserved

    Available Formats

    PDF, TXT or read online from Scribd

    Did you find this document useful?

    Is this content inappropriate?

    This document provides a cheat sheet of commands and resources for gathering information from the web such as performing WHOIS lookups, DNS enumeration, discovering subdomains, identifying infrastructure, crawling websites, and more.

    Copyright:

    © All Rights Reserved
    Download as PDF, TXT or read online from Scribd
    Download as pdf or txt
    8 views5 pages

    Information Gathering Web Edition Module Cheat Sheet

    Uploaded by

    rolandontheropes
    This document provides a cheat sheet of commands and resources for gathering information from the web such as performing WHOIS lookups, DNS enumeration, discovering subdomains, identifying infrastructure, crawling websites, and more.

    Copyright:

    © All Rights Reserved
    Download as PDF, TXT or read online from Scribd
    Download as pdf or txt
    of 5

    INFORMATION GATHERING - WEB EDITION

    CHEAT SHEET
    WHOIS

    Command Description

    export TARGET="domain.tld" Assign target to an environment variable.

    whois $TARGET WHOIS lookup for the target.

    DNS Enumeration

    Command Description

    nslookup $TARGET Identify the A record for the target domain.

    nslookup -query=A $TARGET Identify the A record for the target domain.

    dig $TARGET @<nameserver/IP> Identify the A record for the target domain.

    dig a $TARGET @<nameserver/IP> Identify the A record for the target domain.

    nslookup -query=PTR <IP> Identify the PTR record for the target IP address.

    dig -x <IP> @<nameserver/IP> Identify the PTR record for the target IP address.

    nslookup -query=ANY $TARGET Identify ANY records for the target domain.

    dig any $TARGET @<nameserver/IP> Identify ANY records for the target domain.
    Command Description

    nslookup -query=TXT $TARGET Identify the TXT records for the target domain.

    dig txt $TARGET @<nameserver/IP> Identify the TXT records for the target domain.

    nslookup -query=MX $TARGET Identify the MX records for the target domain.

    dig mx $TARGET @<nameserver/IP> Identify the MX records for the target domain.

    Passive Subdomain Enumeration

    Resource/Command Description

    VirusTotal https://www.virustotal.com/gui/home/url

    Censys https://censys.io/

    Crt.sh https://crt.sh/

    curl -s https://sonar.omnisint.io/subdomains/{domain} All subdomains for a given domain.


    | jq -r '.[]' | sort -u

    curl -s https://sonar.omnisint.io/tlds/{domain} | jq All TLDs found for a given domain.


    -r '.[]' | sort -u

    curl -s https://sonar.omnisint.io/all/{domain} | jq - All results across all TLDs for a given domain.
    r '.[]' | sort -u

    curl -s https://sonar.omnisint.io/reverse/{ip} | jq - Reverse DNS lookup on IP address.


    r '.[]' | sort -u

    curl -s https://sonar.omnisint.io/reverse/{ip}/{mask} Reverse DNS lookup of a CIDR range.


    | jq -r '.[]' | sort -u

    curl -s "https://crt.sh/?q=${TARGET}&output=json" | Certificate Transparency.


    jq -r '.[] | "\(.name_value)\n\(.common_name)"' |
    sort -u

    cat sources.txt | while read source; do theHarvester Searching for subdomains and other
    -d "${TARGET}" -b $source -f information on the sources provided in the
    "${source}-${TARGET}";done
    source.txt list.
    Sources.txt

    baidu
    bufferoverun
    crtsh
    hackertarget
    otx
    projecdiscovery
    rapiddns
    sublist3r
    threatcrowd
    trello
    urlscan
    vhost
    virustotal
    zoomeye

    Passive Infrastructure Identification

    Resource/Command Description

    Netcraft https://www.netcraft.com/

    WayBackMachine http://web.archive.org/

    WayBackURLs https://github.com/tomnomnom/waybackurls

    waybackurls -dates https://$TARGET > Crawling URLs from a domain with the date it was
    waybackurls.txt obtained.

    Active Infrastructure Identification

    Resource/Command Description

    curl -I "http://${TARGET}" Display HTTP headers of the target


    webserver.

    whatweb -a https://www.facebook.com -v Technology identification.

    Wappalyzer https://www.wappalyzer.com/

    wafw00f -v https://$TARGET WAF Fingerprinting.

    Aquatone https://github.com/michenriksen/aquatone
    Resource/Command Description

    cat subdomain.list | aquatone -out ./aquatone - Makes screenshots of all subdomains in the
    screenshot-timeout 1000 subdomain.list.

    Active Subdomain Enumeration

    Resource/Command Description

    HackerTarget https://hackertarget.com/zone-transfer/

    SecLists https://github.com/danielmiessler/SecLists

    nslookup -type=any -query=AXFR $TARGET Zone Transfer using Nslookup against the
    nameserver.target.domain target domain and its nameserver.

    gobuster dns -q -r "${NS}" -d "${TARGET}" -w Bruteforcing subdomains.


    "${WORDLIST}" -p ./patterns.txt -o
    "gobuster_${TARGET}.txt"

    Virtual Hosts

    Resource/Command Description

    curl -s http://192.168.10.10 -H "Host: randomtarget.com" Changing the HOST


    HTTP header to request a
    specific domain.

    cat ./vhosts.list | while read vhost;do echo "\n********\nFUZZING: Bruteforcing for possible
    ${vhost}\n********";curl -s -I http://<IP address> -H "HOST: virtual hosts on the target
    ${vhost}.target.domain" | grep "Content-Length: ";done
    domain.

    ffuf -w ./vhosts -u http://<IP address> -H "HOST: FUZZ.target.domain" - Bruteforcing for possible


    fs 612 virtual hosts on the target
    domain using ffuf.

    Crawling
    Resource/Command Description

    ZAP https://www.zaproxy.org/

    ffuf -recursion -recursion-depth 1 -u http://192.168.10.10/FUZZ -w Discovering files and


    /opt/useful/SecLists/Discovery/Web-Content/raft-small-directories- folders that cannot be
    lowercase.txt
    spotted by browsing the
    website.

    ffuf -w Mutated bruteforcing


    ./folders.txt:FOLDERS,./wordlist.txt:WORDLIST,./extensions.txt:EXTENSIONS against the target web
    -u http://www.target.domain/FOLDERS/WORDLISTEXTENSIONS
    server.

    You might also like