Information Gathering
- BuiltWith: Link de consulta
- Wappalyzer: Link de consulta
- Whatweb
whatweb [DNS]
- DNS:
Link de consulta
webHTTrack
- DNS
host [DNS]
- Búsqueda de la carpeta robots.txt
http://[DNS]/[robots.txt]
- Búsqueda de la carpeta sitemap.txt
http://[DNS]/[sitemap.xml]
- Whois
whois [DNS]
- Whois in browser: Link de consulta
- Netcraft: Link de consulta
- DNS Recon
dnsrecon -d [DNS]
- DNSdumpster: Link de consulta
- wafw00f:
Link de consulta
wafw00f [DNS]
- Pruebas para todas las instancias posibles de WAF
wafw00f [DNS] -a
wafw00f [DNS] --findall
- Sublist3r:
Link de consulta
sublist3r -d [DNS] -e google,yahoo
Obtención de información de las tecnologías que usa un sitio web
Descarga de un sitio web completo
Obtención de la dirección IP
Website Footprinting
Identificar registros
Web Application Firewall Fingerprinting
Subdomain Enumeration
Google Dorks
site:[domain]
site:[domain] inurl:admin
site:[domain] inurl:forum
site:*.[domain]
site:*.[domain] inurl:admin
site:*.[domain] intitle:admin
site:*.[domain] filetype:pdf
site:*.[domain] filetype:pdf [something]
site:*.[domain] filetype:pdf marketing, crm, xlsx, xls, sales
site:*.[domain] filetype:[xlsx, xls, doc, pdf, zip]
site:[domain] employess
site:[domain] instructors
intitle:index
cache:[domain]
inurl:auth_user_file.txt
inurl:passwd.txt
site:gov.* intitle:"index of" *.cvs password
Almacenamiento de las versiones antiguas de un sitio web
Email Harvesting
theHarvester -d [DNS] -b google,linkedin
Leaked Password Database
Active information gathering
- A (Host address)
- AAAA (IPv6 host address)
- NS (Name Server)
- MX (Mail eXchange)
- CNAME (Canonical name for an alias)
- TXT (Descriptive text)
- HINFO (Host information)
- SOA (Start Of Authority) Domain authority
- SRV (location of service) Service Records
- PTR (Pointer) Resolves an IP address to a hostname
Dnsrecon -d [DNS]
Dnsenum [DNS]
Dig axfr [@name-sever] [DNS]
Dig axfr @nsztm1.digi.ninja zonetransfer.me
Fierce --domain [DNS]
nmap -sn [DNS]
sudo netdiscover -I eth0 -r [DNS]