Passive

Domain & Subdomain discovery

# Subdomain enumeration
subfinder -d target.com -all -recursive -o subdomains.txt
amass enum -passive -d target.com -o amass_subs.txt
assetfinder --subs-only target.com > assetfinder_subs.txt

# Combine and deduplicate
cat subdomains.txt amass_subs.txt assetfinder_subs.txt | sort -u > all_subdomains.txt

# Validate live hosts
httpx -l all_subdomains.txt -o live_hosts.txt -title -tech-detect -status-code

Technology fingerprinting

# Detect technologies
whatweb -v -a 3 https://target.com
wappalyzer https://target.com

# Check HTTP headers
curl -I https://target.com

# Identify CMS/Framework
# WordPress: /wp-admin, /wp-content
# Drupal: /user/login, CHANGELOG.txt
# Next.js: /_next/static
# React: view-source for React patterns

OSINT (Open Source INTelligence)

# Google Dorking
site:target.com filetype:pdf
site:target.com inurl:admin
site:target.com inurl:login
site:target.com inurl:config
site:target.com ext:sql
site:target.com ext:env
site:target.com "Index of /"

# GitHub/GitLab reconnaissance
# Search for: target.com, API keys, credentials, config files
# Tools: truffleHog, GitDorker, GittyLeaks

# Shodan/Censys
shodan search hostname:target.com
shodan search ssl:target.com

# Wayback Machine
waybackurls target.com > wayback_urls.txt
gau target.com > gau_urls.txt

DNS Enumeration

# DNS enumeration
dig target.com ANY
nslookup target.com
host -a target.com

# DNS zone transfer (rare but worth checking)
dig axfr @ns1.target.com target.com

# Reverse DNS
dig -x <IP_ADDRESS>

PreviousInformation Gathering NextActive

Last updated 3 months ago

hashtagDomain & Subdomain discovery

hashtagTechnology fingerprinting

hashtagOSINT (Open Source INTelligence)

hashtagDNS Enumeration

Domain & Subdomain discovery

Technology fingerprinting

OSINT (Open Source INTelligence)

DNS Enumeration