✒️
Pentesting Cheatsheet
  • Introduction
  • Basics
  • Information Gathering | OSINT
  • Penetration Testing
    • Scanning and Enumeration
    • HTTP and HTTPS
    • SMB | Windows Domain Enumeration
    • NFS
    • SMTP
    • Reverse Shells
    • Buffer Overflow | Buf Exploitation
    • Linux Privilege Escalation
    • Miscellaneous
    • Redis
  • Active Directory
    • AD Extras
    • Attack Vectors
    • Post Compromise Enumeration
    • Post Compromise Attacks
  • Pivoting
  • Windows Privesc
    • Window Tools/Resources
    • Meterpreter Privesc
    • Powershell Scripting
  • Vulnhub/ PG/ THM/ HTB
  • Apache Log4j
  • Linux Forensics Cheatsheet
Powered by GitBook
On this page

Was this helpful?

Information Gathering | OSINT

Information Gathering is the act of gathering different kinds of information against the targeted victim or system

PreviousBasicsNextPenetration Testing

Last updated 3 years ago

Was this helpful?

Email Gathering : Find Breached Passwords : pastebin, ghostbin, haveibeenpwned, Breachparse, Advanced Search, RF OSINT : Usernames : Rev Image Search : Yandex, Bing, Google

Subdomains Hunting : theHarvester theHarvester -d tesla.com -l 500 -b google sublist3r Hunt subdomains with certificate search OWASP Amass

WHATWEB

Google Advanced Search: site:tesla.com site:tesla.com -www filetype:pdf intitle:tesla

DNS Record Types

DNS isn't just for websites though, and multiple types of DNS record exist. We'll go over some of the most common ones that you're likely to come across.

A Record

These records resolve to IPv4 addresses, for example 104.26.10.229

AAAA Record

These records resolve to IPv6 addresses, for example 2606:4700:20::681a:be5

CNAME Record

These records resolve to another domain name, for example, TryHackMe's online shop has the subdomain name store.tryhackme.com which returns a CNAME record shops.shopify.com. Another DNS request would then be made to shops.shopify.com to work out the IP address.

MX Record

These records resolve to the address of the servers that handle the email for the domain you are querying, for example an MX record response for tryhackme.com would look something like alt1.aspmx.l.google.com. These records also come with a priority flag. This tells the client in which order to try the servers, this is perfect for if the main server goes down and email needs to be sent to a backup server.

TXT RecordTXT records are free text fields where any text-based data can be stored. TXT records have multiple uses, but some common ones can be to list servers that have the authority to send an email on behalf of the domain (this can help in the battle against spam and spoofed email). They can also be used to verify ownership of the domain name when signing up for third party services.

Web Technologies and Widget OWASP ZAP

https://builtwith.com/
https://www.wappalyzer.com/
https://hunter.io
https://osintframework.com/
https://github.com/sherlock-project/sherlock
https://crt.sh/
LogoGitHub - tomnomnom/assetfinder: Find domains and subdomains related to a given domainGitHub
LogoGitHub - tomnomnom/httprobe: Take a list of domains and probe for working HTTP and HTTPS serversGitHub
LogoKeeping a Grip on GoogleID’s@sector035
LogoWiGLE: Wireless Network Mapping
LogoBurp Suite - Application Security Testing SoftwareBurp_Suite