Passive Reconnaisance

WHOIS

Is a request and response protocol that follows the RFC3912 specification. The WHOIS server replies with various information related to the domain requested. The syntax is:

whois DOMAIN_NAME

Nslookup and dig

Nslookup (Name Server Look Up)

To find the IP adress of a domain name.

nslookup DOMAIN_NAME
snlookup OPTIONS DOMAIN_NAME SERVER #OPTIONS: contains the query type, SERVER: The DNS server that you want to query, example 8.8.8.8, 1.1.1.1...
nslookup -type=A tryhackme.com 1.1.1.1

Query type: A(ipv4), AAAA(ipv6), CNAME(Canonical name), MX(Mail servers), SOA(Start of authority), TXT(TXT records)

Dig (Domain Information Groper)

For more advanced DNS queries and additional information.

dig DOMAIN_NAME
dig DOMAIN_NAME TYPE
dig @SERVER DOMAIN_NAME TYPE

DNSDumpster

In this website, we can also find subdomains. DNSDumpster

Shodan

Learn information about the client's network without actively connecting to it. Shodan.io

Active Reconnaissance

Web browser

FoxyProxy

Lets change the proxy server

User-Agent Switcher and Manager

Access the webpage from a diffeernt OS or different web browser

Wappalyzer

Provides indights about the technologies used on the visited websites

Ping

Sends an ICMP Echo packet to a remote system.

ping HOSTNAME

Traceroute

traceroute HOST # tracert in MS Windows

The TTL is decremented by one before passing it to the next router. If the TTL reaches 0, it will be dropped.

Telnet (Teletype Network)

Protocol to comunicate with a remote system. It's usefull to collect a server's banner.

telnet HOST PORT

Netcat

Has different applications. Can function as a client and as a server. It can be use also to collect a server's banner.

nc HOST PORT    
nc -nlvp 1234 # Opens a port and listen

-l listen mode
-p Port. Should appear just before the port number
-n Numeric only, no resolution
-v Verbose
-k Keep listening after client disconnects