Passive Information Gathering

export TARGET="facebook.com" # Assign our target to an environment variable

whois $TARGET

C:\htb> whois.exe facebook.com

export TARGET="facebook.com"

nslookup $TARGET

dig facebook.com @1.1.1.1

export TARGET=www.facebook.com

nslookup -query=A $TARGET

dig a www.facebook.com @1.1.1.1

nslookup -query=PTR 31.13.92.36

dig -x 31.13.92.36 @1.1.1.1

export TARGET="google.com"

nslookup -query=ANY $TARGET

dig any google.com @8.8.8.8

export TARGET="facebook.com"

nslookup -query=TXT $TARGET

dig txt facebook.com @1.1.1.1

export TARGET="facebook.com"

nslookup -query=MX $TARGET

dig mx facebook.com @1.1.1.1

export TARGET="facebook.com"

nslookup $TARGET

whois 157.240.199.35

export TARGET="facebook.com"

curl -s "https://crt.sh/?q=${TARGET}&output=json" | jq -r '.[] | "\(.name_value)\n\(.common_name)"' | sort -u > "${TARGET}_crt.sh.txt"

head -n20 facebook.com_crt.sh.txt

openssl s_client -ign_eof 2>/dev/null <<<$'HEAD / HTTP/1.0\r\n\r' -connect "${TARGET}:${PORT}" | openssl x509 -noout -text -in - | grep 'DNS' | sed -e 's|DNS:|\n|g' -e 's|^\*.*||g' | tr -d ',' | sort -u