Pentest Book
Search…
Root domains

Basic

1
# https://github.com/OWASP/Amass
2
amass intel -d domain.com -whois
3
4
# Search on Google
5
https://google.com/search?q=united+airlines
6
7
# Analyze owners on domainbigdata
8
https://domainbigdata.com/domain.com
Copied!

Reverse whois

1
https://viewdns.info/reversewhois/?q=United+Airlines
2
https://tools.whoisxmlapi.com/reverse-whois-search
Copied!

ASN

1
https://bgp.he.net/search?search%5Bsearch%5D=united+airlines&commit=Search
2
whois -h whois.radb.net -- '-i origin AS11535' | grep -Eo "([0-9.]+){4}/[0-9]+" | uniq
3
whois -h whois.radb.net -- '-i origin AS20461' | grep -Eo "([0-9.]+){4}/[0-9]+" | uniq | mapcidr -silent | dnsx -ptr -resp-only -retry 3 -silent
Copied!

Favicon

1
# https://github.com/pielco11/fav-up
2
python3 favUp.py -ff ~/favicon.ico --shodan-cli
3
4
# https://www.shodan.io/search?query=http.favicon.hash%3A-382492124
Copied!

Google Analytics ID

1
https://builtwith.com/relationships/united.com
2
https://builtwith.com/relationships/tag/UA-29214177
3
https://api.hackertarget.com/analyticslookup/?q=united.com
4
https://api.hackertarget.com/analyticslookup/?q=UA-16316580
Copied!

DNS manual recon

1
dnsrecon -d www.example.com -a
2
dnsrecon -d www.example.com -t axfr
3
dnsrecon -d
4
dnsrecon -d www.example.com -D -t brt
5
6
dig www.example.com + short
7
dig www.example.com MX
8
dig www.example.com NS
9
dig www.example.com> SOA
10
dig www.example.com ANY +noall +answer
11
dig -x www.example.com
12
dig -4 www.example.com (For IPv4)
13
dig -6 www.example.com (For IPv6)
14
dig www.example.com mx +noall +answer example.com ns +noall +answer
15
dig -t AXFR www.example.com
16
dig axfr @10.11.1.111 example.box
17
18
dnsenum 10.11.1.111
Copied!
1
# Get domain from IP
2
# https://reverse-ip.whoisxmlapi.com/
3
# https://github.com/projectdiscovery/dnsx
4
cat ips.txt | dnsx -ptr -resp-only -silent -retry 3
Copied!