brannondorsey · December 4, 2022 22:54
diff --git a/recon_methods.sh b/recon_methods.sh
 # define your target
 export TARGET = brannon.online

 # perform a whois lookup
 whois $TARGET

 # do a dns lookup
 nslookup $TARGET
 # here we find that 34.201.87.194 is the
 # true IP address of the $TARGET

 export TARGET_IP=34.201.87.194

 # perform another whois lookup to determin
 # the owner of the IP block the IP address
 # belongs to
 whois $TARGET

 # perform an nmap scan to determin OS version 
 # and open ports and services
 #   -Pn: Treat hosts as online and don't ping scan, as this is blocked by many firewals
 #   -sS: TCP SYN scan (or stealth scan). Requires root access, exclude this flag if you don't have it.
 #   -A: Enables OS detection, version detection, script scanning, and traceroute
 #
 # nmap references and cheatsheets:
 #   - https://hackertarget.com/nmap-cheatsheet-a-quick-reference-guide
 sudo nmap -Pn -sS -A $TARGET_IP

 # optionally, perform a vulnerabilities scan against the versions
 # of services found to be running on the machine from the nmap scan
 # using a nmap scritp (.nse). Must have nmap-vulners.nse installed:
 #   $ locate *.nse # use this to find where nmap scripts are stored
 #                  # likely /usr/share/nmap/scripts on linux
 #   $ cd /usr/share/nmap/scripts
 #   $ git clone https://github.com/vulnersCom/nmap-vulners
 nmap -sV --script=nmap-vulners $TARGET_IP

 # perform a geolocation traceroute to determin where in the world
 # your target server lives, and what hops it might need to get there
 #   - replace -p with the port you would like to target if not http server
 sudo nmap --traceroute --script traceroute-geolocation -p 80 $TARGET_IP

 # perform a bruteforce dns subdomain guess attack enumerating common subdomains
 #   -sn: Don't port scan
 #   -Pn: Don't ping scan
 nmap -sn -Pn --script dns-brute $TARGET_IP
	# define your target
	export TARGET = brannon.online

	# perform a whois lookup
	whois $TARGET

	# do a dns lookup
	nslookup $TARGET
	# here we find that 34.201.87.194 is the
	# true IP address of the $TARGET

	export TARGET_IP=34.201.87.194

	# perform another whois lookup to determin
	# the owner of the IP block the IP address
	# belongs to
	whois $TARGET

	# perform an nmap scan to determin OS version
	# and open ports and services
	# -Pn: Treat hosts as online and don't ping scan, as this is blocked by many firewals
	# -sS: TCP SYN scan (or stealth scan). Requires root access, exclude this flag if you don't have it.
	# -A: Enables OS detection, version detection, script scanning, and traceroute
	#
	# nmap references and cheatsheets:
	# - https://hackertarget.com/nmap-cheatsheet-a-quick-reference-guide
	sudo nmap -Pn -sS -A $TARGET_IP

	# optionally, perform a vulnerabilities scan against the versions
	# of services found to be running on the machine from the nmap scan
	# using a nmap scritp (.nse). Must have nmap-vulners.nse installed:
	# $ locate *.nse # use this to find where nmap scripts are stored
	# # likely /usr/share/nmap/scripts on linux
	# $ cd /usr/share/nmap/scripts
	# $ git clone https://github.com/vulnersCom/nmap-vulners
	nmap -sV --script=nmap-vulners $TARGET_IP

	# perform a geolocation traceroute to determin where in the world
	# your target server lives, and what hops it might need to get there
	# - replace -p with the port you would like to target if not http server
	sudo nmap --traceroute --script traceroute-geolocation -p 80 $TARGET_IP

	# perform a bruteforce dns subdomain guess attack enumerating common subdomains
	# -sn: Don't port scan
	# -Pn: Don't ping scan
	nmap -sn -Pn --script dns-brute $TARGET_IP