Passive

Obtaining information about the Target without directly interacting with it.

host <DOMAIN/IP>

nslookup <DOMAIN/IP>

Whois

Whois is a protocol and service that allows users to look up registration information related to Internet domains and IP addresses. It provides details such as the owner's name, registration date, and expiration date.

whois <DOMAIN/IP>

Combine IPs and hostnames found with WHOIS to verify that they are owned by the organization and not outsourced to ISPs (Internet Service Providers).

DNS

host -t <TYPE> <DOMAIN> [<DNS_SERVER>]

nslookup -query=<TYPE> <DOMAIN> [<DNS_SERVER>] 
nslookup -type=<TYPE> <DOMAIN> [<DNS_SERVER>]

dig <TYPE> <DOMAIN> [@<DNS_SERVER>]

Subdomain

subfinder

Subdomain passively via online sources. subfinder -d <DOMAIN>

Netcraft

A free web portal that performs various information gathering functions, such as discovering which technologies are running on a given website and finding which other hosts share the same IP netblock.

Certificates

Website

Details

censys.io

Information about SSL/TLS certificates

ssllabs

Online service performs a deep analysis of the configuration of any SSL web server on the public Internet

Last updated 11 days ago

Was this helpful?