CEH Practicals v12
HomeWriteupsResourcesCheatsheets

Foot Printing and Reconnaisance

Directory Enumeration - Finding Directories in a Website

Using Gobuster

gobuster dir -u http://10.10.10.1/ -w usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt

Using ffuf

ffuf -u http://10.10.10.11/FUZZ -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt

File Enumeration - Finding Specific files in a Website

Using Gobuster

gobuster dir -u http://10.10.10.1/ -w usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -x .html,.css,.js

Using ffuf

ffuf -u http://10.10.10.11/FUZZ -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -e .html,.css,.js,.conf

VHOST Enumeration - Finding Subdomains of a Website

Using Gobuster

gobuster vhost -u http://example.com -w /usr/share/wordlists/SecLists/Discovery/DNS/subdomains-top1million-5000.txt --append-domain

Using ffuf

ffuf -u http://example.com -w /usr/share/wordlists/SecLists/Discovery/DNS/subdomains-top1million-20000.txt -H “HOST:FUZZ.example.com”

Digital Certificates

We can find subdomains from certificates issued to the main domain as sometimes they all use the same certificate.

Digital Certificates Search Engines

DNS Enumeration

Automated Tools

  • dnsrecon -d zonetransfer.me -t axfr

  • dnsenum zonetransfer.me

  • fierce --domain zonetransfer.me

Linux

  • dig <ip/domain> - Normal / DNS lookup

  • dig ns zonetransfer.me - Name Server

  • dig mx zonetransfer.me - Mail Server

  • dig cname zonetransfer.me - cname record

  • host zonetransfer.me - Normal / DNS lookup

  • host -t ns zonetransfer.me - Name Server

  • host -t mx zonetransfer.me - Mail Server

  • host -t cname zontransfer.me - cname record

  • host <IP> - Reverse Lookup

Windows

  • nslookup zonetransfer.me

  • Just type nslookup to enter interactive mode in windows.

  • Then type set type=ns, press enter [ type = ns, txt, …. ]

  • Next type zonetransfer.me, press enter

Zone Transfer

Finding Name Servers

First find the name servers using any one of the following commands:

  • host -t ns zonetransfer.me

  • dig ns zonetransfer.me

Then Check each name server for zone transfer using the following commands:

Using host

host -l zonetransfer,me

Using dig

dig axfr zonetransfer.me @<nameserver>

Using nslookup

# Interactive Mode
nslookup
> set type=ns
> zonetransfer.me
> server <nameserver>
> set type=any
> ls -d zonetransfer.me
PreviousIntroductionNextNetwork Scanning and Enumeration

Last updated