Foot Printing and Reconnaisance

Directory Enumeration - Finding Directories in a Website

Using Gobuster

gobuster dir -u http://10.10.10.1/ -w usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt

Using ffuf

ffuf -u http://10.10.10.11/FUZZ -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt

File Enumeration - Finding Specific files in a Website

Using Gobuster

gobuster dir -u http://10.10.10.1/ -w usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -x .html,.css,.js

Using ffuf

ffuf -u http://10.10.10.11/FUZZ -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -e .html,.css,.js,.conf

VHOST Enumeration - Finding Subdomains of a Website

Using Gobuster

gobuster vhost -u http://example.com -w /usr/share/wordlists/SecLists/Discovery/DNS/subdomains-top1million-5000.txt --append-domain

Using ffuf

ffuf -u http://example.com -w /usr/share/wordlists/SecLists/Discovery/DNS/subdomains-top1million-20000.txt -H “HOST:FUZZ.example.com”

Digital Certificates

We can find subdomains from certificates issued to the main domain as sometimes they all use the same certificate.

Digital Certificates Search Engines

DNS Enumeration

Automated Tools

dnsrecon -d zonetransfer.me -t axfr
dnsenum zonetransfer.me
fierce --domain zonetransfer.me

Linux

dig <ip/domain> - Normal / DNS lookup
dig ns zonetransfer.me - Name Server
dig mx zonetransfer.me - Mail Server
dig cname zonetransfer.me - cname record
host zonetransfer.me - Normal / DNS lookup
host -t ns zonetransfer.me - Name Server
host -t mx zonetransfer.me - Mail Server
host -t cname zontransfer.me - cname record
host <IP> - Reverse Lookup

Windows

nslookup zonetransfer.me
Just type nslookup to enter interactive mode in windows.
Then type set type=ns, press enter [ type = ns, txt, …. ]
Next type zonetransfer.me, press enter

Zone Transfer

Finding Name Servers

First find the name servers using any one of the following commands:

host -t ns zonetransfer.me
dig ns zonetransfer.me

Then Check each name server for zone transfer using the following commands:

Using host

host -l zonetransfer,me

Using dig

dig axfr zonetransfer.me @<nameserver>

Using nslookup

# Interactive Mode
nslookup
> set type=ns
> zonetransfer.me
> server <nameserver>
> set type=any
> ls -d zonetransfer.me

PreviousIntroduction NextNetwork Scanning and Enumeration

Last updated 2 years ago

hashtagDirectory Enumeration - Finding Directories in a Website

hashtagUsing Gobuster

hashtagUsing ffuf

hashtagFile Enumeration - Finding Specific files in a Website

hashtagUsing Gobuster

hashtagUsing ffuf

hashtagVHOST Enumeration - Finding Subdomains of a Website

hashtagUsing Gobuster

hashtagUsing ffuf

hashtagDigital Certificates

hashtagDigital Certificates Search Engines

hashtagDNS Enumeration

hashtagAutomated Tools

hashtagLinux

hashtagWindows

hashtagZone Transfer

hashtagFinding Name Servers

hashtagUsing host

hashtagUsing dig

hashtagUsing nslookup

Directory Enumeration - Finding Directories in a Website

Using Gobuster

Using ffuf

File Enumeration - Finding Specific files in a Website

Using Gobuster

Using ffuf

VHOST Enumeration - Finding Subdomains of a Website

Using Gobuster

Using ffuf

Digital Certificates

Digital Certificates Search Engines

DNS Enumeration

Automated Tools

Linux

Windows

Zone Transfer

Finding Name Servers

Using host

Using dig

Using nslookup