Gathering Intel and Planning Attack Strategies

In the previous chapter, we learned about the basics of hunting subdomains. In this chapter, we will dive a little deeper and look at other tools that are available for gathering Intel on our target. We will start by using the infamous tools of Kali Linux.

Gathering information is a crucial stage of performing a penetration test, as every step we take after this will be an outcome of all the information we gather during this stage. For this reason, it is very important that we gather as much information as possible before jumping into the exploitation stage.

In this chapter, we will cover the following recipes:

• Getting a list of subdomains
• Using Shodan for fun and profit
• Shodan Honeyscore
• Shodan plugins
• Censys
• Using Nmap to find open ports
• Bypassing firewalls with Nmap
• Searching for open directories using GoBuster
• Hunting for SSL flaws
• Automating brute force using Brutespray

• Digging deep with TheHarvester
• Finding technology behind webapps using WhatWeb
• Scanning IPs with masscan
• Finding origin servers with CloudBunny
• Sniffing around with Kismet
• Testing routers with Firewalk