Show Menu

Passive Recon Cheat Sheet by

Passive Recon Cheatsheet
security     it     passive     recon

Search Engines

Google, Bing, DuckDu­ckGo, Yahoo, Blekko, Yandex...
Search Terms "­company name" + password filety­pe:­xls
Google Hacking Database www.ex­plo­it-­db.c­om­/go­ogl­e-h­ack­ing­-da­tabase

Inform­ation of Interest

Geogra­phical Locations (office locati­ons...)
Company Overview (subsi­diary companies, merger­s...)
Employee Names & PII (contact inform­ation, emails, phone number­s...)
Business Partners & Vendors
Technology in Use (software, hardwa­re...)

Online Sources

LinkedIn Jigsaw Facebook Twitter Google+ Seek Blogs Usenet

WayBack Machine www.ar­chi­ve.org
Search Engine Directory http:/­/se­arc­hen­gin­eco­los­sus.com
Zuula www.zu­ula.com
DNSstuff www.dn­sst­uff.com
Serv­erSniff www.se­rve­rsn­iff.net
Netcraft www.ne­tcr­aft.com
www.my­IPn­eig­hbo­rs.com
Shodan www.sh­oda­nHQ.com

Password Dumps
sit­e:p­ast­ebi­n.com "­tar­get­URL­"

DNS Recon

DNS is a distri­buted database that resolves domains to IP's.

nslookup targe­tur­l.com
dig targe­tur­l.com

Brut­e-force to identify new domain names associated with the target.
A zone transfer will provide hostnames & IP's of Intern­et-­acc­essible systems. If the target does not segregate public (external) DNS inform­ation from private (internal) DNS inform­ation, it might disclose hostnames & IP's of internal devices.

Note
A zone transfer request may trigger IDS / IPS alarms

Vuln­erable Services (e.g. FTP)
Miscon­fig­ured, unpatched servers (dbase.te­st.t­ar­get.com).
Service records (SRV), provide inform­ation on service, transport, port, and order of importance for services.
DomainKeys Identified Mail (DKIM) and Sender Policy Framework (SPF)
records are used to control spam e-mails. This may impact phishing and other social engine­ering attacks.
 

Whois

whois target­url.com

Social engine­ering
Identify locations for physical attacks
Identify phone numbers (war dialing attack...)
Recursive searches to locate other domains hosted on the same server
If a domain is due to expire, attempt to seize the domain, and create a look-alike website to compromise visitors

IPv6

May contain miscon­fig­ura­tions that leak data. https:­//e­n.w­iki­ped­ia.o­rg­/wi­ki/IPv6

Old network controls (firew­alls, IDS/IPS) may not detect IPv6 and hackers can use IPv6 tunnels to maintain covert commun­ica­tions with the network.

dnsdict6 -4 target­url.com
Enumerates subdomains to obtain IPv4 and IPv6 addresses using a brute force search based on a dictionary file

dnsrevenum6 dnsip ipv6ad­dress
Reverse DNS enumer­ation given an IPv6 address.

IPv4

dnsrecon -d target­url.com
dnsenum target­url.com
dnsmap target­url.com

DNS scanners and record enum (A, MX, TXT, SOA, wildcard, etc..), subdomain brute-­force, Google lookup, reverse lookup, zone transfer, zone walking. The tester can obtain: SOA record, name servers (NS), mail exchanger (MX) hosts, servers sending e-mails using Sender Policy Framework (SPF), and the IP addresses in use.

dnstracer -v target­url.com
Determines where a given DNS gets its inform­ation and follows the chain of DNS servers back to the servers which know the data.

dnswalk target­url.com.
Checks for internal network consis­tency and accuracy.

fierce -dns target­url.com
Locates non-co­nti­guous IP space and hostnames against specified domains by attempting zone transfers, and then brute-­forcing to gain DNS inform­ation. Run fierce to confirm that all targets have been identified then run at least two other tools (dnsenum, dnsrecon) to provide cross valida­tion.
 

Gathering Names & Email Addresses

theharvester -d target­url.com -b google
Uses search engines to find e-mail addresses, hosts, and subdom­ains.

Password Profiling

Common Passwo­rds /usr/­sha­re/­wor­dlists

Common User Password Profiler (CUPP) allows user specific wordlist creation.
git clone https:­//g­ith­ub.c­om­/Me­bus­/cu­pp.git
cupp.py -i

Website Password Profil­ing
cewl -k -v target­url.com -w cewl-o­utp­ut.txt

Document Metadata

Company / person who owns the applic­ation used to create the document.
Document author & date / time of creation.
Date last printed / modified. Who made modifi­cat­ions.
Location on the network where the document was created.
Geo tags that identify where the image was created

metagoofil -d target­url.com -t doc,pd­f,x­ls,­ppt­,od­p,o­ds,­doc­x,x­lsx­,pptx -l 200 -n 50 -o foldername -f result­s.html
Download a Website's Docume­nts and extract usernames, software versions, paths, hostna­mes...

Route Mapping

traceroute targe­tur­l.com
Trac­eroute Online www.tr­ace­rou­te.org
Originally a diagnostic tool to view the route an IP packet follows using the time-t­o-live (TTL) field. Each hop elicits an ICMP TIME_E­XCEEDED message from the receiving router, decrem­enting the value in the TTL field by 1. The packets count the number of hops and the route taken and yields the following important data:
Exact path between attacker and target
Hints to the network's external topology
Identi­fic­ation of accessing control devices (firew­alls) that may filter traffic
Possible identi­fic­ation of internal addressing (misco­nfi­gured networks)

hping3 -S target­url.com -p 80 -c 3
Packet assembler and analyzer (supports TCP/UD­P/I­CMP­/ra­w-IP)

intrace https:­//g­ith­ub.c­om­/ro­ber­tsw­iec­ki/­intrace
Exploits existing TCP connec­tions from the local system­/ne­two­rk/­local hosts. Useful for bypassing firewalls.

Download the Passive Recon Cheat Sheet

2 Pages
//media.cheatography.com/storage/thumb/fred_passive-recon.750.jpg

PDF (recommended)

Alternative Downloads

Share This Cheat Sheet!

 

Comments

No comments yet. Add yours below!

Add a Comment

Your Comment

Please enter your name.

    Please enter your email address

      Please enter your Comment.

          Related Cheat Sheets

          ASA Cheat Sheet

          More Cheat Sheets by fred