Enumeration Cheatsheets

Active & Passive Recon Cheatsheet

This post contains various commands and methods for performing passive recon of a target. This article will be expanded upon as time goes on.

Performing Whois lookups

We can utilize public WHOIS databases to perform lookups on domains.

It may also be worthwhile utilizing other services, such as Namecheap. Once you know who the registrar is, it is typically best to perform a Whois lookup for your target using their domain registrar.

We can also utilize a Kali terminal for this:
whois <targetDomain>

You can use additional options to instruct the tool to use a different server.
whois -h whois.godaddy.com <targetDomain>

Performing DNS enumeration with Nslookup

To perform a lookup of the A records against a particular domain:
nslookup <targetDomain>

To look up the mail records:
nslookup -query=mx <targetDomain>

To look up Nameservers:
nslookup -query=ns <targetDomain>

To get all records that are available:
nslookup -query=any <targetDomain>

You can also drop into nslookup with no parameters interactively.

While interactively working with nslookup, you can set your query:
set q=mx

You can also set your server if you wanted to query a different DNS server than your default one:

Performing DNS enumeration with Dig

To extract A records and Namerservers of a domain:
dig <targetDomain>

To query just A records:
dig <targetDomain> A

You can also limit the output to a specific record, and just return the answer section:
dig +nocmd <targetDomain> MX +noall +answer

Can attempt a DNS Zone transfer:
dig +nocmd <targetDomain> AXFR +noall +answer @<targetDNSServer>

To see more about a DNS Zone Transfer, see https://infinitelogins.com/2020/04/23/performing-dns-zone-transfer/

Automating DNS Enumeration

Fierce can be used to enumerate subdomains, IP ranges, and hostnames by using public DNS queries, zone transfer attempts, and brute forcing techniques.
fierce -dns <targetDomain>

You can also specify a specific DNS server for the tool to use.
fierce -dns <targetDomain> -dnsserver <targetNamserver>

We can also leverage a tool called DNSEnum to do something similar. It will look for the A records of the target domain, looks up the NS and MX records. Finally, it will attempt a zone transfer attack.
dnsenum <targetDomain>

You can also specify a specific DNS server for the tool to use. Sometimes the results will differ.
dnsenum <targetDomain> --dnsserver <targetNamserver>

You can use DNSEnum to brute force subdomains as well.
dnsenum <targetDomain> -f <dictionaryList>

DNSMap can also be used, but it doesn’t do much other than brute-force with a built-in wordlist.
dnsmap <targetDomain> -w wordlist.txt -r /tmp/results.txt

DNSMap to enumerate subdomains in bulk fashion:
dnsmap-bulk.sh domains.txt /tmp/results.txt

DNSRecon is an ‘all-in-one’ tool that can do most everything.
dnsrecon -d <targetDomain>

Google and Bing Dorking

Bing offers a query filter that returns websites hosted on a given IP address by entering the following Bing search:

Search Google for results within a particular website:

Search Google for specific filetypes:
insite:<targetURL> filetype:pdf

Search Google for particular text in title:
insite:<targetURL> intitle:admin
insite:<targetURL> intitle:index of

Search Google for particular text in body:
insite:<targetURL> intext:admin
insite:<targetURL> intext:index of

Additional payloads are found here. https://gist.github.com/clarketm/919457847cece7ce40323dc217623054

Various Tools:

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s