Pentest
TryhackmeHackthebox
  • 🐧Linux
    • Lateral Movement
    • PrivilageEsc Linux 👑
  • 🪟Windows
    • Lateral Movement
    • PrivilageEsc Windows 👑
    • Active Directory / SMB
  • ☁️Cloud
    • AWS
    • Docker
    • Azure AD
    • Kubernetes
  • 🛠️Tools
    • File Transfers
    • Shells / Payloads
    • Pivoting / Forwarding
    • Network Enumeration
    • Cracking / Fuzzing / Brute-force
  • 🚐TCP
    • 21 ) FTP
    • 22 ) SSH
    • 25 ) SMTP
    • 53 ) DNS
    • 79 ) Finger
    • 110 ) POP3
    • 143, 993 ) IMAP
    • 389 ) LDAP
    • 443 ) HTTPS
    • 2049 /111 ) NFS /RPC
    • 3128 ) Squid Proxy
    • 3690 ) Subversion
    • 6379 ) Redis
    • 9200 ) Elasticsearch
    • 11211 ) Memcached
    • 24007 & 49152) Gluster
  • 🚎UDP
    • 69 ) TFTP
    • 161 ) SNMP
    • 500, 4500 ) IPsec IKE
    • 623) IPMI
  • 🔟OWASP 10
    • SQLi
    • NoSQLi
    • LFI / XXE
    • Command Injection
    • XSS / HTMLi / (S/C)SRF / SSTI
  • 📚Database
    • Oracle SQL | 1521
    • MSSQL / MYSQL / PSQL
  • 🔗Binary Exploitation
    • Linux
    • Windows
  • 👨‍🚒Red team
    • Reconnaissance
    • Initial Access
    • Persistence Techniques
    • AV Evasion Techniques
  • 🐰Bug Bounty
    • Search Engine
    • Index.html
  • ⌚Links
    • Passwords 1
    • Default Passwords
    • Default passwords 2
  • 🔄Other
    • Git
    • HackerGPT
    • Curl
    • Hints!!
    • Log4j
    • Mobile Sec
    • BookMarks
    • Steganography
    • CMS / Servers / Others
    • Deserialization
    • Tryhackme
  • 🤖Mobile Android Pentest
    • Mobile Sec
    • Drozer
  • Group 1
    • 📦HackTheBox — Writeups
      • 🏴‍☠️HTB - Devvortex
Powered by GitBook
On this page
  • 00. Basic
  • 01. Passive Recon
  1. Red team

Reconnaissance

00. Basic

https://docs.reconness.com/
https://coggle.it/diagram/XepDvoXedGCjPc1Y/t/enumeration-mindmap
https://www.xmind.net/m/5dypm8/#

01. Passive Recon

  • Manual

## ------------------| Get information about ip(4/6) address and mail server address.
whois h4rithd.com
host h4rithd.com
nslookup h4rithd.com
traceroute h4rithd.com

## ------------------| Enumarate DNS / NS Information
dnsrecon -d h4rithd.com
dig h4rithd.com
dig h4rithd.com MX             ## List Mail server records  
dig h4rithd.com NS             ## List NameServer records
dig h4rithd.com ANY            ## List all records
dig @8.8.8.8 h4rithd.com ANY   ## Using google dns server

## ------------------| DNS Zone Transfer
dnsrecon -d h4rithd.com -t axfr

## ------------------| Check waf
wafw00f h4rithd.com

## ------------------| Interesting Sites
https://dnsdumpster.com/
https://sitereport.netcraft.com/?url=h4rithd.com

## ------------------| Identify web technology
whatweb h4rithd.com

## ------------------| OSINT on domain
theHarvester -b crtsh,dnsdumpster,duckduckgo,google,hackertarget,linkedin,linkedin_links,twitter,trello -d dialog.com           

## ------------------| Subdomain enumeration
knockpy dialog.lk
sublist3r -d h4rithd.com
fierce --domain h4rithd.com 

## ------------------| Subdomain enumeration from Certificate Transparency
curl -s https://crt.sh/\?q\=h4rithd.com\&output\=json | jq . | grep name | cut -d":" -f2 | grep -v "CN=" | cut -d'"' -f2 | awk '{gsub(/\\n/,"\n");}1;' | sort -u     
  • Automation

## ------------------| Sn1per
sudo sniper -t h4rithd.com
sudo sniper -t h4rithd.com -m stealth -o -re 

## ------------------| Amass
amass enum -d h4rithd.com -dir output
amass enum -d h4rithd.com -src -ip -brute -dir output ### Active scan
amass db -dir output -list     ### List all workspace
amass viz -dir output -d3      ### Create html report

## ------------------| Recon-ng
recon-ng
marketplace search            ### Search module
marketplace install <Module>  ### Install module
modules search                ### List installed modules
modules load <Module>         ### Load installed modules
options list                  ### List module options
options set SOURCE <domain>   ### Config modules
PreviousRed teamNextInitial Access

Last updated 2 years ago

👨‍🚒