Passive Reconnaissance and tool usage

Passive reconnaissance is a form of gathering information without directly interacting with the selected target. Below are tools used in the passive recon phase.

theHarvester

A tool for gathering e-mail accounts and subdomain names from public sources.

Example: theHarvester -d champlain.edu -l 500 -b google

-d: the domain to search (champlain.edu)

-l: limit the number of results (500)

-b: data source: google, bing, yahoo, twitter, linkedin, etc.

metagoofil

Allows for extraction of metadata from public documents

Example: sudo metagoofil -d champlain.edu -t pdf -l 15 -o metagoo_out/

-d: the domain to search (champlain.edu)

-t: filetype to download (pdf, doc, xls, ppt, odp, ods, docx, xlsx, pptx)

-l: limit the number of results (15)

-o: working directory (location to save downloaded files)

dnsrecon

A tool used to discover and enumerate DNS-related information about a target domain.

Example:

dnsrecon -d champlain.edu -a

-d: the domain to search (champlain.edu)

-a: zone transfer

netcraft

An online browser-based tool that will find out the technologies and infrastructure used by any site.

Enter the domain name and click lookup. It will go into the background, network, IP delegation, SSL/TLS, Web Trackers, etc.

https://sitereport.netcraft.com/