INFORMATION GATHERING


  • Harvesting email addresses: - 
    • theharvester.py -d <domain> -l 100 -b google or linkedin  
  • Enumerating Subdomains: - 
    • fierce.pl -dns example.com
    • maltego
    • google - site:example.com -www  
  • IP Ranges: - 
    • whois
    • ipnetinfo.exe
    • reverse host lookups on found subdomains to find extra ranges - for hostname in $(cat subdomains.txt);do host $hostname;done
  • Extracting usernames and other info from metadata: -
    •  metagoofil -d <domain> -l 20 -f all -o output.html -t /tmp
  • Finding vulnerable servers: -