All notes were taken while watching TCM's the Cyber Mentor's playlist --> https://www.youtube.com/watch?v=ChdUC32lsYQ&list=PLLKT__MCUeiwBa7d7F_vN1GUwz_2TmVQj&index=4
The Harvester is a tool that was developed in python. Using this you can gather information like emails, subdomains, hosts, employee names, open ports and banners from different public sources like search engines, PGP key servers, and SHODAN computer database. This tool is useful for anyone like you who needs to know what an attacker can see about the organization.
-d: Domain to search or company name.
-b: Data source: baidu, bing, bingapi, dogpile, google, googleCSE, googleplus, google-profiles, linkedin, pgp, twitter, vhost, yahoo, all.
-s: Start in result number X (default: 0).
-v: Verify hostname via DNS resolution and also search for virtual hosts.
-f: Save the results into an HTML and XML file (both).
-n: Perform DNS reverse query on all ranges discovered.
-c: Perform DNS brute force for the domain name.
-t: Perform DNS TLD expansion discovery.
-e: Use this DNS server.
-l: Limit the number of results to work with (bing goes from 20 to 20 results, google 100 to 100, and pgp doesn’t use this option).
-h: Use SHODAN database to query discovered hosts.
Bluto
Bluto is a Python-based tool for DNS recon (Name servers, IP addresses), DNS zone transfer testing (allows for more subdomains), DNS wild card checks, DNS brute forcing, e-mail enumeration and more. Bluto now does email address enumeration based on the target domain, currently using Bing and Google search engines plus gathering data from the Email Hunter service and LinkedIn. https://haveibeenpwned.com/ is then used to identify if any email addresses have been compromised.
crt.sh
searching for certificates to identify subdomains (search for %.tesla.com , % is wildcard)
Episode 5 : Scanning Tools & Tactics
Nmap, Nessus, Burpsuite essentials, metasploit
TCP 3 way handshake - when reliability is needed (SYN, SYN ACK, ACK)
