Cheatsheet
  • Pentest
    • Reconnaissance
    • Network Scanning and Enumeration
    • Active Directory
      • Enumeration
      • Getting Credentials
      • Lateral Movement
      • Privilege Escalation
Powered by GitBook
On this page
  1. Pentest

Reconnaissance

1. WHOIS Lookup:

WHOIS is a protocol that provides information about registered domain names and IP addresses.

  • Command:

    whois <domain_name>

2. DNS Lookup:

DNS (Domain Name System) lookup allows you to retrieve DNS records associated with a domain name or IP address.

  • Command:

    nslookup <domain_name or IP_address>

3. DNS Enumeration Tools: These tools automate the process of gathering information about a target's DNS records, including subdomains.

  • Examples of DNS enumeration tools:

    • Sublist3r:

      sublist3r -d <domain_name>

    • DNSenum:

      dnsenum <domain_name>

    • Fierce:

      fierce --domain <domain_name>

4. Search Engines:

Search engines can be a valuable resource for finding publicly available information about a target.

  • Examples of search engines:

    • Google:

      • Search for domain-related information:

        site:<domain_name>

      • Search for subdomains:

        site:*.<domain_name>

    • Shodan:

      • Search for IP-related information and open services:

        ip:<IP_address>

    • Censys:

      • Search for information about domains, IP addresses, certificates, etc.:

        <search_query>

NextNetwork Scanning and Enumeration

Last updated 2 years ago