Show Menu

Passive Recon Cheat Sheet by

Passive Recon Cheatsheet

Search Engines

Google, Bing, DuckDu­ckGo, Yahoo, Blekko, Yandex...
Search Terms "­company name" + password filety­pe:xls
Google Hacking Database www.ex­plo­it-­db.c­om­/go­ogl­e-h­ack­ing­-da­tabase

Inform­ation of Interest

Geogra­phical Locations (office locati­ons...)
Company Overview (subsi­diary companies, merger­s...)
Employee Names & PII (contact inform­ation, emails, phone number­s...)
Business Partners & Vendors
Technology in Use (software, hardwa­re...)

Online Sources

LinkedIn Jigsaw Facebook Twitter Google+ Seek Blogs Usenet

WayBack Machine­chi­
Search Engine Directory http:/­/se­arc­hen­gin­eco­los­
Zuula www.zu­
DNSstuff www.dn­sst­

Password Dumps
site:p­ast­ebi­ "­tar­get­URL­"

DNS Recon

DNS is a distri­buted database that resolves domains to IP's.

nslookup target­
dig target­

Brute-­force to identify new domain names associated with the target.
A zone transfer will provide hostnames & IP's of Intern­et-­acc­essible systems. If the target does not segregate public (external) DNS inform­ation from private (internal) DNS inform­ation, it might disclose hostnames & IP's of internal devices.

A zone transfer request may trigger IDS / IPS alarms

Vulnerable Services (e.g. FTP)
Miscon­fig­ured, unpatched servers (dbase.te­st.t­ar­
Service records (SRV), provide inform­ation on service, transport, port, and order of importance for services.
DomainKeys Identified Mail (DKIM) and Sender Policy Framework (SPF)
records are used to control spam e-mails. This may impact phishing and other social engine­ering attacks.


whois target­

Social engine­ering
Identify locations for physical attacks
Identify phone numbers (war dialing attack...)
Recursive searches to locate other domains hosted on the same server
If a domain is due to expire, attempt to seize the domain, and create a look-alike website to compromise visitors


May contain miscon­fig­ura­tions that leak data. https:­//e­n.w­iki­ped­ia.o­rg­/wi­ki/IPv6

Old network controls (firew­alls, IDS/IPS) may not detect IPv6 and hackers can use IPv6 tunnels to maintain covert commun­ica­tions with the network.

dnsdict6 -4 target­
Enumerates subdomains to obtain IPv4 and IPv6 addresses using a brute force search based on a dictionary file

dnsrev­enum6 dnsip ipv6ad­dress
Reverse DNS enumer­ation given an IPv6 address.


dnsrecon -d target­
dnsenum target­
dnsmap target­

DNS scanners and record enum (A, MX, TXT, SOA, wildcard, etc..), subdomain brute-­force, Google lookup, reverse lookup, zone transfer, zone walking. The tester can obtain: SOA record, name servers (NS), mail exchanger (MX) hosts, servers sending e-mails using Sender Policy Framework (SPF), and the IP addresses in use.

dnstracer -v target­
Determines where a given DNS gets its inform­ation and follows the chain of DNS servers back to the servers which know the data.

dnswalk target­
Checks for internal network consis­tency and accuracy.

fierce -dns target­
Locates non-co­nti­guous IP space and hostnames against specified domains by attempting zone transfers, and then brute-­forcing to gain DNS inform­ation. Run fierce to confirm that all targets have been identified then run at least two other tools (dnsenum, dnsrecon) to provide cross valida­tion.

Gathering Names & Email Addresses

thehar­vester -d target­ -b google
Uses search engines to find e-mail addresses, hosts, and subdom­ains.

Password Profiling

Common Passwords /usr/s­har­e/w­ord­lists

Common User Password Profiler (CUPP) allows user specific wordlist creation.
git clone https:­//g­ith­ub.c­om­/Me­bus­/cu­pp.git -i

Website Password Profiling
cewl -k -v target­ -w cewl-o­utp­ut.txt

Document Metadata

Company / person who owns the applic­ation used to create the document.
Document author & date / time of creation.
Date last printed / modified. Who made modifi­cat­ions.
Location on the network where the document was created.
Geo tags that identify where the image was created

metagoofil -d target­ -t doc,pd­f,x­ls,­ppt­,od­p,o­ds,­doc­x,x­lsx­,pptx -l 200 -n 50 -o foldername -f result­s.html
Download a Website's Documents and extract usernames, software versions, paths, hostna­mes...

Route Mapping

traceroute target­
Traceroute Online­ace­rou­
Originally a diagnostic tool to view the route an IP packet follows using the time-t­o-live (TTL) field. Each hop elicits an ICMP TIME_E­XCEEDED message from the receiving router, decrem­enting the value in the TTL field by 1. The packets count the number of hops and the route taken and yields the following important data:
Exact path between attacker and target
Hints to the network's external topology
Identi­fic­ation of accessing control devices (firew­alls) that may filter traffic
Possible identi­fic­ation of internal addressing (misco­nfi­gured networks)

hping3 -S target­ -p 80 -c 3
Packet assembler and analyzer (supports TCP/UD­P/I­CMP­/ra­w-IP)

intrace https:­//g­ith­ub.c­om­/ro­ber­tsw­iec­ki/­intrace
Exploits existing TCP connec­tions from the local system­/ne­two­rk/­local hosts. Useful for bypassing firewalls.


No comments yet. Add yours below!

Add a Comment

Your Comment

Please enter your name.

    Please enter your email address

      Please enter your Comment.

          Related Cheat Sheets

          More Cheat Sheets by fred

          File Transfers Cheat Sheet