🟥
LSWSec - Offensive
  • Introduction
  • File transfer
    • Transferring Files
      • Transferring Files - Linux
      • Transferring Files - Windows
  • Recon
    • Passive information Gathering
      • Website
      • Finding SubDomains
        • DNS
        • DNS Zone Transfer
    • Subdomain Enumeration
    • OSINT
      • Email
      • People
      • Social Media
      • Username and Accounts
      • Passwords
      • Business
      • Image and Location
    • Active Information Gathering
      • Nmap
      • Netcat
      • ss
      • Unknown Port Scanning
      • Footprinting
        • FTP
        • SMB
        • NFS
        • DNS
    • Vulnerability Searching
  • Ports
    • 21 - FTP
    • 22 - SSH
    • 23 - Telnet
    • 25 - SMTP
    • 69 - TFTP
    • 80 - HTTP
    • 88 - Kerberos
    • 110 - Pop3
    • 111 - RPCBind
    • 119 - NNTP
    • 135 - MSRPC
    • 139/445 - SMB
      • PSExec
      • Nmap
      • Other tools
    • 143/993 - IMAP
    • 161/162 - SNMP
    • 389/636 - LDAP
    • 443 - HTTPS
    • 554 - RTSP
    • 587 - Submission
    • 631 - Cups
    • 1433 - MsSQL
    • 2049 - NFS
    • 3306 - MySQL
    • 3389 - RDP
  • Web
    • useful information
    • Web Proxy
      • Burp
    • Web Content Discovery
    • SQL
    • Web Fuzzing with FFUF
      • Directory Fuzzing
      • Domain Fuzzing
      • Paramater fuzzing
    • Local File Inclusion
      • LFI
      • Basic Bypass
    • Authentication Bypass
    • IDOR
  • Priv-esc
    • Windows
      • mimikatz
  • Pivoting
    • Info
    • Locating other machines
    • proxy
    • SSH tunneling/port forwarding
    • plink
    • socat
    • chisel
    • sshuttle
    • connecting to windows environments with a user account
  • Command and Control
    • powershell empire
    • Armitage
  • Active Directory
    • Debugging DNS
    • NTLM Authenticated Services
    • LDAP Bind Credentials
Powered by GitBook
On this page
  • Who is
  • Website OSINT tools
  • Search for website
  • Website OSINT Tools
  1. Recon
  2. Passive information Gathering

Website

When beginning recon on a domain, the first thing to do is to view the webpage. Have a look around and become familiar with the layout.

Make a note of important things like

Who is

the next thing to do is WhoIs to find out information about who owns and created the domain.

These commands can be used to resolve the DNS

host website.com
nslookup website.com

Whois can then be used with the IP you get from resolving the DNS

whois 192.168.1.101

Website OSINT tools

  • BuiltWith – https://builtwith.com/

  • Domain Dossier – https://centralops.net/co/

  • DNSlytics – https://dnslytics.com/reverse-ip

  • SpyOnWeb – https://spyonweb.com/

  • Virus Total – https://www.virustotal.com/

  • Visual Ping – https://visualping.io/

  • Back Link Watch – http://backlinkwatch.com/index.php

  • View DNS – https://viewdns.info/

Search for website

  • Domain dossiers can be used to scan domains.

  • Who is record – who owns the website

  • DNS records – find where email may be hosted

  • reddit.com/domain/domain.com

Website OSINT Tools

  • Subfinder – https://github.com/projectdiscovery/subfinder

  • Assetfinder – https://github.com/tomnomnom/assetfinder

  • httprobe – https://github.com/tomnomnom/httprobe

  • Amass – https://github.com/OWASP/Amass

  • GoWitness – https://github.com/sensepost/gowitness/wiki/Installation

  • Wappalyzer (firefox extension)

PreviousPassive information GatheringNextFinding SubDomains

Last updated 2 years ago