Penetration Testing Reference

Pentesting

authorized use only

Reconnaissance

Exploitation

Post-Exploitation

Vulnerabilities

Techniques

Reporting

Written authorization required before any testing.

Recon & enum

Recon & enumeration

whois · DNS · theHarvester · Shodan · Google dorks · enum4linux · LDAP

Tools used here

theHarvesterVisit ↗

OSINT enumeration of emails, subdomains, hosts, employees, and open ports from public sources (search engines, certificate transparency, PGP servers, etc.). Your first-pass recon tool against a known domain.

API keys for Hunter / Shodan / DNSdumpster significantly improve results.

Recon-ngVisit ↗

Modular framework for web-based reconnaissance, modeled on Metasploit's console UX. Workspaces store findings; modules pull from APIs and bulk-process targets.

Many modules require free API keys (Shodan, Censys, HIBP). Configure once via keys add.

ShodanVisit ↗

Search engine for internet-connected devices, indexed by banner, port, service, and CVE. Externally-facing recon for any IP / org / hostname.

Free tier is heavily limited. CLI tool (pip install shodan) is more efficient than the web UI for scripted work.

WHOIS / DNSwhoisDomain registration info — registrar, dates, nameservers, registrant (often privacy-protected)

whois example.com

WHOIS / DNSwhoisIP WHOIS — ASN, netblock owner, abuse contact

whois 203.0.113.1

WHOIS / DNSdigAll DNS records for domain

dig +nocmd example.com any +multiline +noall +answer

ANY queries blocked by many resolvers — run each type separately: A, MX, NS, TXT, SOA

WHOIS / DNSdnsreconStandard DNS recon — A, AAAA, NS, SOA, MX, SPF, TXT

dnsrecon -d example.com -t std

WHOIS / DNSdnsreconSubdomain brute-force

dnsrecon -d example.com -t brt -D /usr/share/wordlists/dnsmap.txt

WHOIS / DNSdnsreconZone transfer attempt (AXFR)

dnsrecon -d example.com -t axfr

Succeeds only on misconfigured nameservers — gives full DNS inventory

WHOIS / DNSdnsenumDNS enumeration + Google scraping + brute-force in one pass

dnsenum --enum -p 0 -s 0 example.com

WHOIS / DNSamassPassive subdomain enumeration via OSINT sources

amass enum -passive -d example.com

Best passive subdomain tool — uses 50+ data sources

WHOIS / DNSamassActive enumeration with brute-force

amass enum -active -d example.com -brute -w /usr/share/wordlists/SecLists/Discovery/DNS/subdomains-top1million-5000.txt

WHOIS / DNSsubfinderFast passive subdomain discovery

subfinder -d example.com -silent

theHarvestertheHarvesterEmail, hostname, IP harvest from all sources (Google, Bing, LinkedIn, Shodan, etc.)

theHarvester -d example.com -b all

theHarvestertheHarvesterGoogle source only, 500 results limit

theHarvester -d example.com -b google -l 500

theHarvestertheHarvesterShodan source — exposed services for the domain

theHarvester -d example.com -b shodan

theHarvestertheHarvesterLinkedIn employee enumeration (usernames useful for password spray)

theHarvester -d example.com -b linkedin

ShodanshodanFind all assets registered to an organization

shodan search "org:\"Target Corp\"" --fields ip_str,port,product,version

ShodanshodanAll IPs for domain in Shodan

shodan search "hostname:example.com" --fields ip_str,port,product

ShodanshodanFull Shodan record for specific IP — open ports, banners, vulns

shodan host 203.0.113.1

ShodanshodanFind hosts by certificate CN — finds non-obvious assets on same cert

shodan search "ssl.cert.subject.cn:example.com"

ShodanShodan webShodan search: RDP exposed, US, by org name

org:"Target Corp" port:3389 country:US

ShodanShodan webAdmin panels for domain

hostname:example.com http.title:"Admin" -http.status:404

ShodanShodan webProxyLogon-vulnerable Exchange in a netblock

net:203.0.113.0/24 vuln:CVE-2021-26855

Google dorksGoogleAll indexed pages for domain excluding www (finds subdomains)

site:example.com -www

Google dorksGoogleIndexed documents — may contain metadata, internal paths, usernames

site:example.com filetype:pdf OR filetype:xlsx OR filetype:docx

Google dorksGoogleAdmin/login pages indexed by Google

site:example.com inurl:admin OR inurl:login OR inurl:portal

Google dorksGoogleCredential leaks in Pastebin mentioning target domain

site:pastebin.com "example.com" password OR key OR credential

Google dorksGoogleExposed configs, .env files, DB dumps

"example.com" filetype:sql OR filetype:env OR filetype:config

SMB / LDAP enumenum4linuxFull SMB enumeration — shares, users, groups, OS info, password policy

enum4linux -a 192.168.1.100

SMB / LDAP enumenum4linux-ngModern enum4linux with null session attempt

enum4linux-ng -A 192.168.1.100 -u "" -p ""

SMB / LDAP enumldapsearchAnonymous LDAP bind — dump all objects

ldapsearch -x -H ldap://192.168.1.100 -b "dc=example,dc=com" "(objectClass=*)"

Anonymous bind usually disabled on secured DCs but common on misconfigs

SMB / LDAP enumldapsearchAuthenticated LDAP — get users, email, group membership

ldapsearch -x -H ldap://192.168.1.100 -D "cn=user,dc=example,dc=com" -w "Password1" -b "dc=example,dc=com" "(objectClass=user)" sAMAccountName mail memberOf

SMB / LDAP enumldapsearchEnumerate domain computers via LDAP

ldapsearch -x -H ldap://dc.example.com -b "dc=example,dc=com" "(objectClass=computer)" name dNSHostName operatingSystem