search

Passive Enumeration

triangle-exclamation

Passively gathering public information is legal if done for legitimate purposes (audits, authorised pentesting, defensive intelligence). Do not use these techniques against targets without authorisation.

hashtag
1. Define Target & Scope

What or who are you looking for? You can search for domains, company names, emails, social medias, people, employees, or services, among other things.

One of the first tools you can use is WHOISarrow-up-right, which allows you to gather registration information about a domain, such as the owner, registrar, registration date, and contact details. You can also use RDAParrow-up-right (Registration Data Access Protocol), which is the modern replacement for WHOIS. 

whois lucafacchini.com

To find useful information, you can also try to view old snapshots of the website, via WayBack Machinearrow-up-right. Remember, everything can be useful.

hashtag
2. Website Reconnaissance

Before starting any further information gathering, it’s important to gather information about the website’s technologies, domains, and subdomains. Two key files can help with this:

  1. robots.txt – Visit http://example.com/robots.txt. This file is typically present on most websites and is meant for search engines. It lists pages that should or shouldn’t be indexed, which can reveal hidden or restricted areas of the site.

  2. sitemap.xml – Visit http://example.com/sitemap.xml (note: it may not always exist). This file provides a hierarchical map of the website, including all pages. If certain pages aren’t visible on the front-end, they might still appear here.

I also recommend, before moving further, to use tools to discover technologies being used on those websites. The ones I recommend are:

hashtag
3. IP, DNS, Domains & Subdomains

This step involves collecting information about a target’s network and domain structure. You identify the IP addresses used by the target, explore DNS records to find name servers, mail servers, and other services, and discover all associated domains and subdomains.

hashtag
DNS Enumeration

You can perform DNS passive enumeration using a combination of command-line interface (CLI) tools and online web-based services. CLI tools like dig, host, or dnsrecon.

There are some really useful tools online, such as:

  1. Host Command

  1. Dig Command

  1. DNSRecon Command

hashtag
Domains & Subdomains

You can still use WHOISarrow-up-right to discover domains and subdomains, but in most cases you should also use some tools that will help you finding more.

  1. Use, if you haven't already, use DNSDumpsterarrow-up-right.

  2. Search for subdomains that appear in Certificate Transparency Logs. crt.sharrow-up-right

  3. Search on Passive DNS Services, such as VirusTotalarrow-up-right, SecurityTrailsarrow-up-right, Shodanarrow-up-right and Censysarrow-up-right

  4. Use Google Dorks / Google Hacking. Search for the following: site:*.lucafacchini.com. And for more detailed Google Dorks, you can view the Google Hacking Database (GHDB)arrow-up-right.

You can also use automatized tools, such as:

hashtag
4. Extract Metadata

Metadata extraction involves retrieving embedded data within files which can provide insights into the document's author, creation date, software used, and more.

  1. Using Google Dorks, search on the Internet:

    1. site:example.com filetype:pdf, where pdf represents the file type. Remember that you should really try to find every file, such as .doc, .xlx, .ppt, anything.

  2. Extract metadata from files: Once files are collected, use tools like:

    1. ExifToolarrow-up-right

    2. Metagoofilarrow-up-right

PreviousInformation GatheringNextActive Enumeration

Last updated