Perimeter

​https://pentest-tools.com/home​
​https://hackertarget.com/ip-tools/​
DNS
$ nslookup example.com
Subdomains & AXFR
AS details
$ whois example.com
$ whois 127.0.0.1
Check for DNS Amplification
CMS, Stack, Vulns
WhatWeb, Wappalyzer
Shodan / Censys / SecurityTrails
Google Dorks
/robots.txt
/sitemap.xml
Autonomous Systems
​https://hackware.ru/?p=9245​
Info via IP
dig:
$ dig $(dig -x 127.0.0.1 | grep PTR | tail -n 1 | grep -Eo '[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}').origin.asn.cymru.com TXT +short
whois:
$ whois -h whois.cymru.com -- '-v 127.0.0.1'
$ whois -h whois.radb.net 127.0.0.1
Info via ASN
whois:
$ whois -h whois.cymru.com -- '-v AS48666'
$ whois -h whois.radb.net AS48666
Search AS
​https://radar.qrator.net/search?query=AS31337​
​https://github.com/nitefood/asn​
Map IP addresses to AS by origin and netname with ignoring potentionally unwanted netname values by keywords:
whois.sh
 #!/bin/bash
 # Usage: whois.sh ip_list.txt
​
for ip in `cat $1`; do
  ASNUM=`whois $ip | grep -i "origin:" | tr -d ' ' | cut -d ":" -f 2 | tr $'\n' ','`
  NETNAME=`whois $ip | grep -i "netname:" | tr -d ' ' | cut -d ":" -f 2`
  if ! echo "$NETNAME" | grep -iqF -e pppoe -e ipoe; then
    echo "$ASNUM,$NETNAME,$ip"
   fi
done
Difference between as-name, aut-num, origin, netname, etc. may be found on RIPE.
Generate Wordlists
Last updated 3 weeks ago