\documentclass[10pt,a4paper]{article}

% Packages
\usepackage{fancyhdr}           % For header and footer
\usepackage{multicol}           % Allows multicols in tables
\usepackage{tabularx}           % Intelligent column widths
\usepackage{tabulary}           % Used in header and footer
\usepackage{hhline}             % Border under tables
\usepackage{graphicx}           % For images
\usepackage{xcolor}             % For hex colours
%\usepackage[utf8x]{inputenc}    % For unicode character support
\usepackage[T1]{fontenc}        % Without this we get weird character replacements
\usepackage{colortbl}           % For coloured tables
\usepackage{setspace}           % For line height
\usepackage{lastpage}           % Needed for total page number
\usepackage{seqsplit}           % Splits long words.
%\usepackage{opensans}          % Can't make this work so far. Shame. Would be lovely.
\usepackage[normalem]{ulem}     % For underlining links
% Most of the following are not required for the majority
% of cheat sheets but are needed for some symbol support.
\usepackage{amsmath}            % Symbols
\usepackage{MnSymbol}           % Symbols
\usepackage{wasysym}            % Symbols
%\usepackage[english,german,french,spanish,italian]{babel}              % Languages

% Document Info
\author{fred}
\pdfinfo{
  /Title (passive-recon.pdf)
  /Creator (Cheatography)
  /Author (fred)
  /Subject (Passive Recon Cheat Sheet)
}

% Lengths and widths
\addtolength{\textwidth}{6cm}
\addtolength{\textheight}{-1cm}
\addtolength{\hoffset}{-3cm}
\addtolength{\voffset}{-2cm}
\setlength{\tabcolsep}{0.2cm} % Space between columns
\setlength{\headsep}{-12pt} % Reduce space between header and content
\setlength{\headheight}{85pt} % If less, LaTeX automatically increases it
\renewcommand{\footrulewidth}{0pt} % Remove footer line
\renewcommand{\headrulewidth}{0pt} % Remove header line
\renewcommand{\seqinsert}{\ifmmode\allowbreak\else\-\fi} % Hyphens in seqsplit
% This two commands together give roughly
% the right line height in the tables
\renewcommand{\arraystretch}{1.3}
\onehalfspacing

% Commands
\newcommand{\SetRowColor}[1]{\noalign{\gdef\RowColorName{#1}}\rowcolor{\RowColorName}} % Shortcut for row colour
\newcommand{\mymulticolumn}[3]{\multicolumn{#1}{>{\columncolor{\RowColorName}}#2}{#3}} % For coloured multi-cols
\newcolumntype{x}[1]{>{\raggedright}p{#1}} % New column types for ragged-right paragraph columns
\newcommand{\tn}{\tabularnewline} % Required as custom column type in use

% Font and Colours
\definecolor{HeadBackground}{HTML}{333333}
\definecolor{FootBackground}{HTML}{666666}
\definecolor{TextColor}{HTML}{333333}
\definecolor{DarkBackground}{HTML}{17AD1B}
\definecolor{LightBackground}{HTML}{F0F9F0}
\renewcommand{\familydefault}{\sfdefault}
\color{TextColor}

% Header and Footer
\pagestyle{fancy}
\fancyhead{} % Set header to blank
\fancyfoot{} % Set footer to blank
\fancyhead[L]{
\noindent
\begin{multicols}{3}
\begin{tabulary}{5.8cm}{C}
    \SetRowColor{DarkBackground}
    \vspace{-7pt}
    {\parbox{\dimexpr\textwidth-2\fboxsep\relax}{\noindent
        \hspace*{-6pt}\includegraphics[width=5.8cm]{/web/www.cheatography.com/public/images/cheatography_logo.pdf}}
    }
\end{tabulary}
\columnbreak
\begin{tabulary}{11cm}{L}
    \vspace{-2pt}\large{\bf{\textcolor{DarkBackground}{\textrm{Passive Recon Cheat Sheet}}}} \\
    \normalsize{by \textcolor{DarkBackground}{fred} via \textcolor{DarkBackground}{\uline{cheatography.com/22666/cs/4692/}}}
\end{tabulary}
\end{multicols}}

\fancyfoot[L]{ \footnotesize
\noindent
\begin{multicols}{3}
\begin{tabulary}{5.8cm}{LL}
  \SetRowColor{FootBackground}
  \mymulticolumn{2}{p{5.377cm}}{\bf\textcolor{white}{Cheatographer}}  \\
  \vspace{-2pt}fred \\
  \uline{cheatography.com/fred} \\
  \end{tabulary}
\vfill
\columnbreak
\begin{tabulary}{5.8cm}{L}
  \SetRowColor{FootBackground}
  \mymulticolumn{1}{p{5.377cm}}{\bf\textcolor{white}{Cheat Sheet}}  \\
   \vspace{-2pt}Published 29th July, 2015.\\
   Updated 10th May, 2016.\\
   Page {\thepage} of \pageref{LastPage}.
\end{tabulary}
\vfill
\columnbreak
\begin{tabulary}{5.8cm}{L}
  \SetRowColor{FootBackground}
  \mymulticolumn{1}{p{5.377cm}}{\bf\textcolor{white}{Sponsor}}  \\
  \SetRowColor{white}
  \vspace{-5pt}
  %\includegraphics[width=48px,height=48px]{dave.jpeg}
  Measure your website readability!\\
  www.readability-score.com
\end{tabulary}
\end{multicols}}


\begin{document}
\raggedright
\raggedcolumns

% Set font size to small. Switch to any value
% from this page to resize cheat sheet text:
% www.emerson.emory.edu/services/latex/latex_169.html
\footnotesize % Small font.

\begin{multicols*}{3}

\begin{tabularx}{5.377cm}{X}
\SetRowColor{DarkBackground}
\mymulticolumn{1}{x{5.377cm}}{\bf\textcolor{white}{Search Engines}}  \tn
\SetRowColor{white}
\mymulticolumn{1}{x{5.377cm}}{Google, Bing, DuckDuckGo, Yahoo, Blekko, Yandex... \newline % Row Count 2 (+ 2)
Search Terms `{\bf{"company name" + password filetype:xls}}` \newline % Row Count 4 (+ 2)
{\bf{Google Hacking Database \seqsplit{www.exploit-db.com/google-hacking-database} }}% Row Count 6 (+ 2)
} \tn 
\hhline{>{\arrayrulecolor{DarkBackground}}-}
\end{tabularx}
\par\addvspace{1.3em}

\begin{tabularx}{5.377cm}{X}
\SetRowColor{DarkBackground}
\mymulticolumn{1}{x{5.377cm}}{\bf\textcolor{white}{Information of Interest}}  \tn
\SetRowColor{white}
\mymulticolumn{1}{x{5.377cm}}{Geographical Locations (office locations...) \newline % Row Count 1 (+ 1)
Company Overview (subsidiary companies, mergers...) \newline % Row Count 3 (+ 2)
Employee Names \& PII (contact information, emails, phone numbers...) \newline % Row Count 5 (+ 2)
Business Partners \& Vendors \newline % Row Count 6 (+ 1)
Technology in Use (software, hardware...)% Row Count 7 (+ 1)
} \tn 
\hhline{>{\arrayrulecolor{DarkBackground}}-}
\end{tabularx}
\par\addvspace{1.3em}

\begin{tabularx}{5.377cm}{X}
\SetRowColor{DarkBackground}
\mymulticolumn{1}{x{5.377cm}}{\bf\textcolor{white}{Online Sources}}  \tn
\SetRowColor{white}
\mymulticolumn{1}{x{5.377cm}}{{\bf{LinkedIn Jigsaw Facebook Twitter Google+ Seek Blogs Usenet}} \newline % Row Count 2 (+ 2)
{\bf{WayBack Machine www.archive.org}} \newline % Row Count 3 (+ 1)
{\bf{Search Engine Directory \seqsplit{http://searchenginecolossus}.com}} \newline % Row Count 5 (+ 2)
{\bf{Zuula www.zuula.com}} \newline % Row Count 6 (+ 1)
{\bf{DNSstuff www.dnsstuff.com}} \newline % Row Count 7 (+ 1)
{\bf{ServerSniff www.serversniff.net}} \newline % Row Count 8 (+ 1)
{\bf{Netcraft www.netcraft.com}} \newline % Row Count 9 (+ 1)
{\bf{ www.myIPneighbors.com}} \newline % Row Count 10 (+ 1)
{\bf{Shodan www.shodanHQ.com}} \newline % Row Count 11 (+ 1)
{\bf{Password Dumps}}  \newline % Row Count 12 (+ 1)
{\bf{`site:pastebin.com "targetURL"`}}% Row Count 13 (+ 1)
} \tn 
\hhline{>{\arrayrulecolor{DarkBackground}}-}
\end{tabularx}
\par\addvspace{1.3em}

\begin{tabularx}{5.377cm}{X}
\SetRowColor{DarkBackground}
\mymulticolumn{1}{x{5.377cm}}{\bf\textcolor{white}{DNS Recon}}  \tn
\SetRowColor{white}
\mymulticolumn{1}{x{5.377cm}}{DNS is a distributed database that resolves domains to IP's. \newline % Row Count 2 (+ 2)
{\bf{\{\{fa-file-text\}\}nslookup}} `targeturl.com ` \newline % Row Count 3 (+ 1)
{\bf{\{\{fa-file-text\}\}dig}} `targeturl.com ` \newline % Row Count 4 (+ 1)
{\bf{Brute-force to identify new domain names}} associated with the target. \newline % Row Count 6 (+ 2)
{\bf{A zone transfer will provide hostnames \& IP's of Internet-accessible systems.}} If the target does not  segregate public (external) DNS information from private (internal) DNS information, it might disclose hostnames \& IP's of internal devices. \newline % Row Count 11 (+ 5)
{\bf{\{\{fa-exclamation-triangle\}\}Note}} \newline % Row Count 12 (+ 1)
{\bf{A zone transfer request may trigger IDS / IPS alarms}} \newline % Row Count 14 (+ 2)
{\bf{Vulnerable Services}} (e.g. FTP) \newline % Row Count 15 (+ 1)
Misconfigured, unpatched servers (dbase.test.target.com). \newline % Row Count 17 (+ 2)
Service records (SRV), provide information on service, transport, port, and order of importance for services. \newline % Row Count 20 (+ 3)
DomainKeys Identified Mail (DKIM) and Sender Policy Framework (SPF) \newline % Row Count 22 (+ 2)
records are used to control spam e-mails. This may impact phishing and other social engineering attacks.% Row Count 25 (+ 3)
} \tn 
\hhline{>{\arrayrulecolor{DarkBackground}}-}
\end{tabularx}
\par\addvspace{1.3em}

\begin{tabularx}{5.377cm}{X}
\SetRowColor{DarkBackground}
\mymulticolumn{1}{x{5.377cm}}{\bf\textcolor{white}{Whois}}  \tn
\SetRowColor{white}
\mymulticolumn{1}{x{5.377cm}}{{\bf{\{\{fa-file-text\}\}whois}}` targeturl.com` \newline % Row Count 1 (+ 1)
{\bf{Social engineering}} \newline % Row Count 2 (+ 1)
Identify locations for physical attacks \newline % Row Count 3 (+ 1)
Identify phone numbers (war dialing attack...) \newline % Row Count 4 (+ 1)
Recursive searches to locate other domains hosted on the same server \newline % Row Count 6 (+ 2)
If a domain is due to expire, attempt to seize the domain, and create a look-alike website to compromise visitors% Row Count 9 (+ 3)
} \tn 
\hhline{>{\arrayrulecolor{DarkBackground}}-}
\end{tabularx}
\par\addvspace{1.3em}

\begin{tabularx}{5.377cm}{X}
\SetRowColor{DarkBackground}
\mymulticolumn{1}{x{5.377cm}}{\bf\textcolor{white}{IPv6}}  \tn
\SetRowColor{white}
\mymulticolumn{1}{x{5.377cm}}{{\bf{May contain misconfigurations that leak data.}} {\bf{ \seqsplit{https://en.wikipedia.org/wiki/IPv6} }} \newline % Row Count 2 (+ 2)
Old network controls (firewalls, IDS/IPS) may not detect IPv6 and hackers can use IPv6 tunnels to maintain covert communications with the network. \newline % Row Count 5 (+ 3)
{\bf{\{\{fa-file-text\}\}dnsdict6}}` -4 targeturl.com` \newline % Row Count 6 (+ 1)
Enumerates subdomains to obtain IPv4 and IPv6 addresses using a brute force search based on a dictionary file \newline % Row Count 9 (+ 3)
{\bf{\{\{fa-file-text\}\}dnsrevenum6}}` dnsip ipv6address` \newline % Row Count 11 (+ 2)
Reverse DNS enumeration given an IPv6 address.% Row Count 12 (+ 1)
} \tn 
\hhline{>{\arrayrulecolor{DarkBackground}}-}
\end{tabularx}
\par\addvspace{1.3em}

\begin{tabularx}{5.377cm}{X}
\SetRowColor{DarkBackground}
\mymulticolumn{1}{x{5.377cm}}{\bf\textcolor{white}{IPv4}}  \tn
\SetRowColor{white}
\mymulticolumn{1}{x{5.377cm}}{{\bf{\{\{fa-file-text\}\}dnsrecon}}` -d targeturl.com` \newline % Row Count 1 (+ 1)
{\bf{\{\{fa-file-text\}\}dnsenum}}` targeturl.com` \newline % Row Count 2 (+ 1)
{\bf{\{\{fa-file-text\}\}dnsmap}}` targeturl.com` \newline % Row Count 3 (+ 1)
DNS scanners and record enum (A, MX, TXT, SOA, wildcard, etc..), subdomain brute-force, Google lookup, reverse lookup, zone transfer, zone walking. The tester can obtain: SOA record, name servers (NS), mail exchanger (MX) hosts, servers sending e-mails using Sender Policy Framework (SPF), and the IP addresses in use. \newline % Row Count 10 (+ 7)
{\bf{\{\{fa-file-text\}\}dnstracer}}` -v targeturl.com` \newline % Row Count 11 (+ 1)
Determines where a given DNS gets its information and follows the chain of DNS servers back to the servers which know the data. \newline % Row Count 14 (+ 3)
{\bf{\{\{fa-file-text\}\}dnswalk}}` targeturl.com.` \newline % Row Count 15 (+ 1)
Checks for internal network consistency and accuracy. \newline % Row Count 17 (+ 2)
{\bf{\{\{fa-file-text\}\}fierce}}` -dns targeturl.com` \newline % Row Count 18 (+ 1)
Locates non-contiguous IP space and hostnames against specified domains by attempting zone transfers, and then brute-forcing to gain DNS information. Run fierce to confirm that all targets have been identified then run at least two other tools (dnsenum, dnsrecon) to provide cross validation.% Row Count 24 (+ 6)
} \tn 
\hhline{>{\arrayrulecolor{DarkBackground}}-}
\end{tabularx}
\par\addvspace{1.3em}

\begin{tabularx}{5.377cm}{X}
\SetRowColor{DarkBackground}
\mymulticolumn{1}{x{5.377cm}}{\bf\textcolor{white}{Gathering Names \& Email Addresses}}  \tn
\SetRowColor{white}
\mymulticolumn{1}{x{5.377cm}}{{\bf{\{\{fa-file-text\}\}theharvester}}` -d targeturl.com -b google` \newline % Row Count 2 (+ 2)
Uses search engines to find e-mail addresses, hosts, and subdomains.% Row Count 4 (+ 2)
} \tn 
\hhline{>{\arrayrulecolor{DarkBackground}}-}
\end{tabularx}
\par\addvspace{1.3em}

\begin{tabularx}{5.377cm}{X}
\SetRowColor{DarkBackground}
\mymulticolumn{1}{x{5.377cm}}{\bf\textcolor{white}{Password Profiling}}  \tn
\SetRowColor{white}
\mymulticolumn{1}{x{5.377cm}}{{\bf{Common Passwords}} `/usr/share/wordlists` \newline % Row Count 1 (+ 1)
{\bf{Common User Password Profiler}} (CUPP) allows user specific wordlist creation. \newline % Row Count 3 (+ 2)
{\bf{\{\{fa-download\}\} git clone \seqsplit{https://github.com/Mebus/cupp.git} }} \newline % Row Count 5 (+ 2)
{\bf{\{\{fa-file-text\}\}cupp.py}} `-i` \newline % Row Count 6 (+ 1)
{\bf{Website Password Profiling}} \newline % Row Count 7 (+ 1)
{\bf{\{\{fa-file-text\}\}cewl}} `-k -v targeturl.com -w cewl-output.txt`% Row Count 9 (+ 2)
} \tn 
\hhline{>{\arrayrulecolor{DarkBackground}}-}
\end{tabularx}
\par\addvspace{1.3em}

\begin{tabularx}{5.377cm}{X}
\SetRowColor{DarkBackground}
\mymulticolumn{1}{x{5.377cm}}{\bf\textcolor{white}{Document Metadata}}  \tn
\SetRowColor{white}
\mymulticolumn{1}{x{5.377cm}}{Company / person who owns the application used to create the document. \newline % Row Count 2 (+ 2)
Document author \& date / time of creation. \newline % Row Count 3 (+ 1)
Date last printed / modified. Who made modifications. \newline % Row Count 5 (+ 2)
Location on the network where the document was created. \newline % Row Count 7 (+ 2)
Geo tags that identify where the image was created  \newline % Row Count 9 (+ 2)
{\bf{\{\{fa-file-text\}\}metagoofil}}` -d targeturl.com -t doc,pdf,xls,ppt,odp,ods,docx,xlsx,pptx -l 200 -n 50 -o foldername -f results.html` \newline % Row Count 12 (+ 3)
{\bf{Download a Website's Documents}} and extract usernames, software versions, paths, hostnames...% Row Count 14 (+ 2)
} \tn 
\hhline{>{\arrayrulecolor{DarkBackground}}-}
\end{tabularx}
\par\addvspace{1.3em}

\begin{tabularx}{5.377cm}{X}
\SetRowColor{DarkBackground}
\mymulticolumn{1}{x{5.377cm}}{\bf\textcolor{white}{Route Mapping}}  \tn
\SetRowColor{white}
\mymulticolumn{1}{x{5.377cm}}{{\bf{\{\{fa-file-text\}\}traceroute}} `targeturl.com` \newline % Row Count 1 (+ 1)
{\bf{Traceroute Online www.traceroute.org}} \newline % Row Count 2 (+ 1)
Originally a diagnostic tool to view the route an IP packet follows using the time-to-live (TTL) field. Each hop elicits an ICMP TIME\_EXCEEDED message from the receiving router, decrementing the value in the TTL field by 1. The packets count the number of hops and the route taken and yields the following important data: \newline % Row Count 9 (+ 7)
Exact path between attacker and target \newline % Row Count 10 (+ 1)
Hints to the network's external topology \newline % Row Count 11 (+ 1)
Identification of accessing control devices (firewalls) that may filter traffic \newline % Row Count 13 (+ 2)
Possible identification of internal addressing (misconfigured networks) \newline % Row Count 15 (+ 2)
{\bf{\{\{fa-file-text\}\}hping3}} `-S targeturl.com -p 80 -c 3` \newline % Row Count 17 (+ 2)
Packet assembler and analyzer (supports TCP/UDP/ICMP/raw-IP) \newline % Row Count 19 (+ 2)
{\bf{\{\{fa-file-text\}\}intrace \seqsplit{https://github.com/robertswiecki/intrace} }} \newline % Row Count 21 (+ 2)
Exploits existing TCP connections from the local system/network/local hosts. Useful for bypassing firewalls.% Row Count 24 (+ 3)
} \tn 
\hhline{>{\arrayrulecolor{DarkBackground}}-}
\end{tabularx}
\par\addvspace{1.3em}


% That's all folks
\end{multicols*}

\end{document}