Passive Enumeration

This information gathering section is specialized for methods in the web.

1. Passive Information Gathering

In passive information gathering, we do not interact with the target. Therefore, we only use information that is publicly available.

Well known tools:

WHOIS

Can be used to query databases of domain names, IP addresses and provide information services to users

Nslookup (DNS)

search for a domian name server
we can ask for informations about hosts and domians
with -query param we can specify resource records

dig (DNS)

dig gives more detailed informations than nslook up

Passive subdomain enumeration

The following tools are used for passive subdomian enumeration. This allows us to find subdomians to increase our attack surface.

Certificate Databases

Every SSL/TLS Certificate is published in a public assessible log
can be combined with curl to get a JSON list and parse it into an easy-to-read list.
OpenSSL kann auch genutzt werden.
non-automatic method

TheHarvester

Collects emails, names, subdomains, IP addresses and URLs from various public data sources
Data source can be specified in custom source text file
Result can be sorted and saved to a file with multiple cat constructs.

Passive infrastructure identification

The following tools are used for passive infrastructure identification

Netcraft

is a convenient site to get information about the infrastructure without having to visit the target site.

Wayback machine

site to access serveral versions of a website
find websites at a specific point of time
same is possible with waybackurls (just for urls)
useful to detect the usage of vulnerable plugins and other weak points

PreviousActive Enumeration NextADPwn

Last updated 5 months ago

Was this helpful?

Passive Enumeration

This information gathering section is specialized for methods in the web.

1. Passive Information Gathering

In passive information gathering, we do not interact with the target. Therefore, we only use information that is publicly available.

Well known tools:

WHOIS

Can be used to query databases of domain names, IP addresses and provide information services to users

Nslookup (DNS)

search for a domian name server
we can ask for informations about hosts and domians
with -query param we can specify resource records

dig (DNS)

dig gives more detailed informations than nslook up

Passive subdomain enumeration

The following tools are used for passive subdomian enumeration. This allows us to find subdomians to increase our attack surface.

Certificate Databases

for Example: ,
Every SSL/TLS Certificate is published in a public assessible log
can be combined with curl to get a JSON list and parse it into an easy-to-read list.
OpenSSL kann auch genutzt werden.
non-automatic method

TheHarvester

Collects emails, names, subdomains, IP addresses and URLs from various public data sources
Data source can be specified in custom source text file
Result can be sorted and saved to a file with multiple cat constructs.

Passive infrastructure identification

The following tools are used for passive infrastructure identification

Netcraft

is a convenient site to get information about the infrastructure without having to visit the target site.

Wayback machine

site to access serveral versions of a website
find websites at a specific point of time
same is possible with waybackurls (just for urls)
useful to detect the usage of vulnerable plugins and other weak points

PreviousActive Enumeration NextADPwn

Last updated 5 months ago

Was this helpful?