Scribd
Upload
147 views3 pages

Information Gathering

The document provides a comprehensive guide on information-gathering techniques for authorized testing, covering basic Linux commands, process management, DNS reconnaissance, email enumeration, subdomain discovery, Google dorks, online services, automated frameworks, and logging resources. Each section includes specific commands, tools, and examples to assist users in gathering and analyzing data effectively. It emphasizes responsible usage and offers a variety of resources for further exploration.

Uploaded by

Umer Khan
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
147 views3 pages

Information Gathering

The document provides a comprehensive guide on information-gathering techniques for authorized testing, covering basic Linux commands, process management, DNS reconnaissance, email enumeration, subdomain discovery, Google dorks, online services, automated frameworks, and logging resources. Each section includes specific commands, tools, and examples to assist users in gathering and analyzing data effectively. It emphasizes responsible usage and offers a variety of resources for further exploration.

Uploaded by

Umer Khan
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd

Information-Gathering — concise notes

Below is a cleaned-up, organized version of your notes with short explanations and examples.
Use responsibly (authorized testing only).

1. Basic Linux / host info


1. ifconfig / ip addr / ip a — show network interfaces and IP addresses on your
machine.
Example: ip a show eth0
2. hostname / hostname -I — show host name / IP(s) of the host.
3. ping <host> — check connectivity / round-trip time to a host.
Example: ping -c 4 [Link]
4. traceroute <host> (Linux) / tracert <host> (Windows) — show route packets take
to reach the host.
Example: traceroute [Link]
5. arp -a — show ARP table (IP ⇄ MAC mappings) on local network.
6. netstat -tulpn or ss -tulpn — show listening ports and associated processes.

2. Process / system management


1. ps — display current shell processes.
2. ps aux — full snapshot of all processes from all users.
3. top — interactive real-time process viewer.
4. htop — improved, easier-to-read top (needs install).
5. kill <PID> — send SIGTERM to a process to stop it.
o kill -9 <PID> sends SIGKILL (force kill). Use carefully.
6. systemctl status <service> — check systemd service status.

3. DNS & domain reconnaissance


1. dig [Link] — DNS lookup, shows A, NS, MX, etc. (more flexible than
nslookup).
Example: dig +short [Link] A
2. nslookup [Link] — basic DNS query tool (older).
3. whois [Link] — registration details for a domain (registrar, dates, contact).
4. host [Link] — simple DNS lookup.
5. dig @[Link] [Link] ANY — query a specific DNS server.

4. Email / user enumeration


1. python [Link] — your own script to extract emails (example).
2. [Link] — check if an email appears in breaches (online service).

5. Subdomain / attack surface discovery


1. amass, subfinder, sublist3r — enumerate subdomains from different sources.
2. [Link] — search certificate transparency logs for domains/subdomains.
3. securitytrails, Shodan, Censys — find hosts, services, exposed assets.

6. Google dorks (search engine reconnaissance)


• intitle:"Harry Potter" filetype:pdf — find PDFs with "Harry Potter" in title.
• site:[Link] inurl:[Link]?id — find [Link] pages on .[Link] sites.
• intitle:"Ahmed Qadir" inurl:[Link] — LinkedIn pages mentioning name.
• inurl:view/[Link] — find pages with that path.

Tip: combine operators (site:, inurl:, intitle:, filetype:, ext:) to narrow results.

Tools / DB: Google Hacking Database (GHDB) — many useful dork examples (found via
Exploit-DB → GHDB).

7. Common online services & tools (quick list)


• [Link] — geoIP lookup.
• [Link] — link-based IP logger (be careful, privacy implications).
• [Link] — cloud / VPS provider (example of cloud server provider).
• [Link] — breached account checker.
• [Link] — disposable temporary email.
• [Link]/email — DuckDuckGo email protection (masked email).
• [Link] — privacy-focused email provider.
• [Link] — site reports and hosting info.
• [Link] — domain/host history, DNS records.
• [Link] — Wayback Machine for historical site snapshots.
• exploit-db (GHDB) — Google Dork database and exploits.
• [Link] — internet-connected device search engine.
• [Link] / [Link] — niche data/privacy resources (verify before use).

8. Useful automated recon frameworks


• Recon-ng — modular web reconnaissance framework.
• Metasploit — exploitation framework (also contains recon modules).
• SpiderFoot — automated OSINT and attack surface discovery.
• Maltego — visual link analysis (commercial / community editions).

9. Logging & archives


• [Link] (Wayback Machine) — review old versions of websites.
• Common Crawl / public datasets — large public web crawls for research.

10. Short examples (one-liners)


• List open ports + services: nmap -sV -p- [Link]
• Quick DNS A record: dig +short [Link]
• Check headers: curl -I [Link]
• Find PDFs with dork: site:[Link] filetype:pdf "confidential"

You might also like