Show Menu

Passive Recon Cheat Sheet by

Passive Recon Cheatsheet
security     it     passive     recon

Search Engines

Google, Bing, DuckDu­ckGo, Yahoo, Blekko, Yandex...
Search Terms "­company name" + password filety­pe:­xls
Google Hacking Database www.ex­plo­it-­db.c­om­/go­ogl­e-h­ack­ing­-da­tabase

Inform­ation of Interest

Geogra­phical Locations (office locati­ons...)
Company Overview (subsi­diary companies, merger­s...)
Employee Names & PII (contact inform­ation, emails, phone number­s...)
Business Partners & Vendors
Technology in Use (software, hardwa­re...)

Online Sources

LinkedIn Jigsaw Facebook Twitter Google+ Seek Blogs Usenet

WayBack Machine www.ar­chi­ve.org
Search Engine Directory http:/­/se­arc­hen­gin­eco­los­sus.com
Zuula www.zu­ula.com
DNSstuff www.dn­sst­uff.com
Serv­erSniff www.se­rve­rsn­iff.net
Netcraft www.ne­tcr­aft.com
www.my­IPn­eig­hbo­rs.com
Shodan www.sh­oda­nHQ.com

Password Dumps
sit­e:p­ast­ebi­n.com "­tar­get­URL­"

DNS Recon

DNS is a distri­buted database that resolves domains to IP's.

nslookup targe­tur­l.com
dig targe­tur­l.com

Brut­e-force to identify new domain names associated with the target.
A zone transfer will provide hostnames & IP's of Intern­et-­acc­essible systems. If the target does not segregate public (external) DNS inform­ation from private (internal) DNS inform­ation, it might disclose hostnames & IP's of internal devices.

Note
A zone transfer request may trigger IDS / IPS alarms

Vuln­erable Services (e.g. FTP)
Miscon­fig­ured, unpatched servers (dbase.te­st.t­ar­get.com).
Service records (SRV), provide inform­ation on service, transport, port, and order of importance for services.
DomainKeys Identified Mail (DKIM) and Sender Policy Framework (SPF)
records are used to control spam e-mails. This may impact phishing and other social engine­ering attacks.
 

Whois

whois target­url.com

Social engine­ering
Identify locations for physical attacks
Identify phone numbers (war dialing attack...)
Recursive searches to locate other domains hosted on the same server
If a domain is due to expire, attempt to seize the domain, and create a look-alike website to compromise visitors

IPv6

May contain miscon­fig­ura­tions that leak data. https:­//e­n.w­iki­ped­ia.o­rg­/wi­ki/IPv6

Old network controls (firew­alls, IDS/IPS) may not detect IPv6 and hackers can use IPv6 tunnels to maintain covert commun­ica­tions with the network.

dnsdict6 -4 target­url.com
Enumerates subdomains to obtain IPv4 and IPv6 addresses using a brute force search based on a dictionary file

dnsrevenum6 dnsip ipv6ad­dress
Reverse DNS enumer­ation given an IPv6 address.

IPv4

dnsrecon -d target­url.com
dnsenum target­url.com
dnsmap target­url.com

DNS scanners and record enum (A, MX, TXT, SOA, wildcard, etc..), subdomain brute-­force, Google lookup, reverse lookup, zone transfer, zone walking. The tester can obtain: SOA record, name servers (NS), mail exchanger (MX) hosts, servers sending e-mails using Sender Policy Framework (SPF), and the IP addresses in use.

dnstracer -v target­url.com
Determines where a given DNS gets its inform­ation and follows the chain of DNS servers back to the servers which know the data.

dnswalk target­url.com.
Checks for internal network consis­tency and accuracy.

fierce -dns target­url.com
Locates non-co­nti­guous IP space and hostnames against specified domains by attempting zone transfers, and then brute-­forcing to gain DNS inform­ation. Run fierce to confirm that all targets have been identified then run at least two other tools (dnsenum, dnsrecon) to provide cross valida­tion.
 

Gathering Names & Email Addresses

theharvester -d target­url.com -b google
Uses search engines to find e-mail addresses, hosts, and subdom­ains.

Password Profiling

Common Passwo­rds /usr/­sha­re/­wor­dlists

Common User Password Profiler (CUPP) allows user specific wordlist creation.
git clone https:­//g­ith­ub.c­om­/Me­bus­/cu­pp.git
cupp.py -i

Website Password Profil­ing
cewl -k -v target­url.com -w cewl-o­utp­ut.txt

Document Metadata

Company / person who owns the applic­ation used to create the document.
Document author & date / time of creation.
Date last printed / modified. Who made modifi­cat­ions.
Location on the network where the document was created.
Geo tags that identify where the image was created

metagoofil -d target­url.com -t doc,pd­f,x­ls,­ppt­,od­p,o­ds,­doc­x,x­lsx­,pptx -l 200 -n 50 -o foldername -f result­s.html
Download a Website's Docume­nts and extract usernames, software versions, paths, hostna­mes...

Route Mapping

traceroute targe­tur­l.com
Trac­eroute Online www.tr­ace­rou­te.org
Originally a diagnostic tool to view the route an IP packet follows using the time-t­o-live (TTL) field. Each hop elicits an ICMP TIME_E­XCEEDED message from the receiving router, decrem­enting the value in the TTL field by 1. The packets count the number of hops and the route taken and yields the following important data:
Exact path between attacker and target
Hints to the network's external topology
Identi­fic­ation of accessing control devices (firew­alls) that may filter traffic
Possible identi­fic­ation of internal addressing (misco­nfi­gured networks)

hping3 -S target­url.com -p 80 -c 3
Packet assembler and analyzer (supports TCP/UD­P/I­CMP­/ra­w-IP)

intrace https:­//g­ith­ub.c­om­/ro­ber­tsw­iec­ki/­intrace
Exploits existing TCP connec­tions from the local system­/ne­two­rk/­local hosts. Useful for bypassing firewalls.

Download the Passive Recon Cheat Sheet

2 Pages
//media.cheatography.com/storage/thumb/fred_passive-recon.750.jpg

PDF (recommended)

Alternative Downloads

Share This Cheat Sheet!

 

Comments

No comments yet. Add yours below!

Add a Comment

Your Comment

Please enter your name.

    Please enter your email address

      Please enter your Comment.

          Related Cheat Sheets

          ASA Cheat Sheet

          More Cheat Sheets by fred

          File Transfers Cheat Sheet