Passive Recon Cheat Sheet by fred

Google, Bing, DuckDu­ckGo, Yahoo, Blekko, Yandex...
Search Terms

"­company name" + password filety­pe:xls

Google Hacking Database www.ex­plo­it-­db.c­om­/go­ogl­e-h­ack­ing­-da­tabase

Geogra­phical Locations (office locati­ons...)
Company Overview (subsi­diary companies, merger­s...)
Employee Names & PII (contact inform­ation, emails, phone number­s...)
Business Partners & Vendors
Technology in Use (software, hardwa­re...)

LinkedIn Jigsaw Facebook Twitter Google+ Seek Blogs Usenet

WayBack Machine www.ar­chi­ve.org
Search Engine Directory http:/­/se­arc­hen­gin­eco­los­sus.com
Zuula www.zu­ula.com
DNSstuff www.dn­sst­uff.com
Server­Sniff www.se­rve­rsn­iff.net
Netcraft www.ne­tcr­aft.com
www.my­IPn­eig­hbo­rs.com
Shodan www.sh­oda­nHQ.com

Password Dumps

site:p­ast­ebi­n.com "­tar­get­URL­"

DNS is a distri­buted database that resolves domains to IP's.

nslookup

target­url.com 

dig

target­url.com 

Brute-­force to identify new domain names associated with the target.
A zone transfer will provide hostnames & IP's of Intern­et-­acc­essible systems. If the target does not segregate public (external) DNS inform­ation from private (internal) DNS inform­ation, it might disclose hostnames & IP's of internal devices.

Note
A zone transfer request may trigger IDS / IPS alarms

Vulnerable Services (e.g. FTP)
Miscon­fig­ured, unpatched servers (dbase.te­st.t­ar­get.com).
Service records (SRV), provide inform­ation on service, transport, port, and order of importance for services.
DomainKeys Identified Mail (DKIM) and Sender Policy Framework (SPF)
records are used to control spam e-mails. This may impact phishing and other social engine­ering attacks.

whois

 target­url.com

Social engine­ering
Identify locations for physical attacks
Identify phone numbers (war dialing attack...)
Recursive searches to locate other domains hosted on the same server
If a domain is due to expire, attempt to seize the domain, and create a look-alike website to compromise visitors

May contain miscon­fig­ura­tions that leak data. https:­//e­n.w­iki­ped­ia.o­rg­/wi­ki/IPv6

Old network controls (firew­alls, IDS/IPS) may not detect IPv6 and hackers can use IPv6 tunnels to maintain covert commun­ica­tions with the network.

dnsdict6

 -4 target­url.com

Enumerates subdomains to obtain IPv4 and IPv6 addresses using a brute force search based on a dictionary file

dnsrev­enum6

 dnsip ipv6ad­dress

Reverse DNS enumer­ation given an IPv6 address.

dnsrecon

 -d target­url.com

dnsenum

 target­url.com

dnsmap

 target­url.com

DNS scanners and record enum (A, MX, TXT, SOA, wildcard, etc..), subdomain brute-­force, Google lookup, reverse lookup, zone transfer, zone walking. The tester can obtain: SOA record, name servers (NS), mail exchanger (MX) hosts, servers sending e-mails using Sender Policy Framework (SPF), and the IP addresses in use.

dnstracer

 -v target­url.com

Determines where a given DNS gets its inform­ation and follows the chain of DNS servers back to the servers which know the data.

dnswalk

 target­url.com.

Checks for internal network consis­tency and accuracy.

fierce

 -dns target­url.com

Locates non-co­nti­guous IP space and hostnames against specified domains by attempting zone transfers, and then brute-­forcing to gain DNS inform­ation. Run fierce to confirm that all targets have been identified then run at least two other tools (dnsenum, dnsrecon) to provide cross valida­tion.

thehar­vester

 -d target­url.com -b google

Uses search engines to find e-mail addresses, hosts, and subdom­ains.

Common Passwords

/usr/s­har­e/w­ord­lists

Common User Password Profiler (CUPP) allows user specific wordlist creation.
 git clone https:­//g­ith­ub.c­om­/Me­bus­/cu­pp.git
cupp.py

-i

Website Password Profiling
cewl

-k -v target­url.com -w cewl-o­utp­ut.txt

Company / person who owns the applic­ation used to create the document.
Document author & date / time of creation.
Date last printed / modified. Who made modifi­cat­ions.
Location on the network where the document was created.
Geo tags that identify where the image was created

metagoofil

 -d target­url.com -t doc,pd­f,x­ls,­ppt­,od­p,o­ds,­doc­x,x­lsx­,pptx -l 200 -n 50 -o foldername -f result­s.html

Download a Website's Documents and extract usernames, software versions, paths, hostna­mes...

traceroute

target­url.com

Traceroute Online www.tr­ace­rou­te.org
Originally a diagnostic tool to view the route an IP packet follows using the time-t­o-live (TTL) field. Each hop elicits an ICMP TIME_E­XCEEDED message from the receiving router, decrem­enting the value in the TTL field by 1. The packets count the number of hops and the route taken and yields the following important data:
Exact path between attacker and target
Hints to the network's external topology
Identi­fic­ation of accessing control devices (firew­alls) that may filter traffic
Possible identi­fic­ation of internal addressing (misco­nfi­gured networks)

hping3

-S target­url.com -p 80 -c 3

Packet assembler and analyzer (supports TCP/UD­P/I­CMP­/ra­w-IP)

intrace https:­//g­ith­ub.c­om­/ro­ber­tsw­iec­ki/­intrace
Exploits existing TCP connec­tions from the local system­/ne­two­rk/­local hosts. Useful for bypassing firewalls.