Show Menu

Passive Recon Cheat Sheet by

Passive Recon Cheatsheet

Search Engines

Google, Bing, DuckDu­ckGo, Yahoo, Blekko, Yandex...
Search Terms
"­company name" + password filety­pe:xls

Google Hacking Database www.ex­plo­it-­db.c­om­/go­ogl­e-h­ack­ing­-da­tabase

Inform­ation of Interest

Geogra­phical Locations (office locati­ons...)
Company Overview (subsi­diary companies, merger­s...)
Employee Names & PII (contact inform­ation, emails, phone number­s...)
Business Partners & Vendors
Technology in Use (software, hardwa­re...)

Online Sources

LinkedIn Jigsaw Facebook Twitter Google+ Seek Blogs Usenet

WayBack Machine­chi­
Search Engine Directory http:/­/se­arc­hen­gin­eco­los­
Zuula www.zu­
DNSstuff www.dn­sst­

Password Dumps
site:p­ast­ebi­ "­tar­get­URL­"

DNS Recon

DNS is a distri­buted database that resolves domains to IP's.



Brute-­force to identify new domain names associated with the target.
A zone transfer will provide hostnames & IP's of Intern­et-­acc­essible systems. If the target does not segregate public (external) DNS inform­ation from private (internal) DNS inform­ation, it might disclose hostnames & IP's of internal devices.

A zone transfer request may trigger IDS / IPS alarms

Vulnerable Services (e.g. FTP)
Miscon­fig­ured, unpatched servers (dbase.te­st.t­ar­
Service records (SRV), provide inform­ation on service, transport, port, and order of importance for services.
DomainKeys Identified Mail (DKIM) and Sender Policy Framework (SPF)
records are used to control spam e-mails. This may impact phishing and other social engine­ering attacks.



Social engine­ering
Identify locations for physical attacks
Identify phone numbers (war dialing attack...)
Recursive searches to locate other domains hosted on the same server
If a domain is due to expire, attempt to seize the domain, and create a look-alike website to compromise visitors


May contain miscon­fig­ura­tions that leak data. https:­//e­n.w­iki­ped­ia.o­rg­/wi­ki/IPv6

Old network controls (firew­alls, IDS/IPS) may not detect IPv6 and hackers can use IPv6 tunnels to maintain covert commun­ica­tions with the network.

 -4 target­

Enumerates subdomains to obtain IPv4 and IPv6 addresses using a brute force search based on a dictionary file

 dnsip ipv6ad­dress

Reverse DNS enumer­ation given an IPv6 address.


 -d target­



DNS scanners and record enum (A, MX, TXT, SOA, wildcard, etc..), subdomain brute-­force, Google lookup, reverse lookup, zone transfer, zone walking. The tester can obtain: SOA record, name servers (NS), mail exchanger (MX) hosts, servers sending e-mails using Sender Policy Framework (SPF), and the IP addresses in use.

 -v target­

Determines where a given DNS gets its inform­ation and follows the chain of DNS servers back to the servers which know the data.


Checks for internal network consis­tency and accuracy.

 -dns target­

Locates non-co­nti­guous IP space and hostnames against specified domains by attempting zone transfers, and then brute-­forcing to gain DNS inform­ation. Run fierce to confirm that all targets have been identified then run at least two other tools (dnsenum, dnsrecon) to provide cross valida­tion.

Gathering Names & Email Addresses

 -d target­ -b google

Uses search engines to find e-mail addresses, hosts, and subdom­ains.

Password Profiling

Common Passwords

Common User Password Profiler (CUPP) allows user specific wordlist creation.
git clone https:­//g­ith­ub.c­om­/Me­bus­/cu­pp.git

Website Password Profiling
-k -v target­ -w cewl-o­utp­ut.txt

Document Metadata

Company / person who owns the applic­ation used to create the document.
Document author & date / time of creation.
Date last printed / modified. Who made modifi­cat­ions.
Location on the network where the document was created.
Geo tags that identify where the image was created

 -d target­ -t doc,pd­f,x­ls,­ppt­,od­p,o­ds,­doc­x,x­lsx­,pptx -l 200 -n 50 -o foldername -f result­s.html

Download a Website's Documents and extract usernames, software versions, paths, hostna­mes...

Route Mapping


Traceroute Online­ace­rou­
Originally a diagnostic tool to view the route an IP packet follows using the time-t­o-live (TTL) field. Each hop elicits an ICMP TIME_E­XCEEDED message from the receiving router, decrem­enting the value in the TTL field by 1. The packets count the number of hops and the route taken and yields the following important data:
Exact path between attacker and target
Hints to the network's external topology
Identi­fic­ation of accessing control devices (firew­alls) that may filter traffic
Possible identi­fic­ation of internal addressing (misco­nfi­gured networks)

-S target­ -p 80 -c 3

Packet assembler and analyzer (supports TCP/UD­P/I­CMP­/ra­w-IP)

intrace https:­//g­ith­ub.c­om­/ro­ber­tsw­iec­ki/­intrace
Exploits existing TCP connec­tions from the local system­/ne­two­rk/­local hosts. Useful for bypassing firewalls.


No comments yet. Add yours below!

Add a Comment

Your Comment

Please enter your name.

    Please enter your email address

      Please enter your Comment.

          Related Cheat Sheets

          Shodan Cheat Sheet

          More Cheat Sheets by fred

          File Transfers Cheat Sheet