Sec8 - Recon & Enumeration Tools

Reconnaissance & Enumeration Tools

Gather detailed target data before active testing to streamline vulnerability discovery.

Introduction

PenTest+ Domain 2 focus: Reconnaissance & Enumeration—leveraging specialized tools for efficient data collection.

Lesson Previews

Wayback Machine – Archive.org snapshots reveal hidden directories, outdated files, past vulnerabilities
theHarvester & Hunter.io – Automate discovery of email addresses, subdomains, and employee details
OSINTframework.com, Maltego, SpiderFoot – Curated OSINT resources, graphical link analysis, and multi-source automation
Whois & recon-ng – Domain ownership records and modular reconnaissance workflows
nslookup / dig – DNS interrogation (A/MX/NS/SRV records, zone transfers, reverse lookups)
DNSdumpster & Amass – Visual DNS maps and deep subdomain enumeration (passive + active)
Shodan & Censys.io – Internet-wide search engines for exposed devices and service configurations
tcpdump & Wireshark – Packet capture (CLI & GUI) for protocol analysis and traffic inspection
Aircrack-ng, InSSIDer, WiGLE.net – Wireless scanning, signal mapping, and global WAP intelligence

Tool Details

Wayback Machine

Function: Timeline of archived web pages
Command: curl "http://web.archive.org/cdx/search/cdx?url=example.com&output=json"
Use: Uncover removed admin pages, legacy plugins, and past security flaws

theHarvester

Scope: Emails, subdomains, IPs via search engines, social media, public databases
Command: theHarvester -d example.com -b google -l 500
Benefit: Builds targets list for phishing or social engineering

Hunter.io

Role: Verify professional email patterns (e.g., firstname.lastname@…)
CLI (via Hunter CLI): hunter hunt example.com --key YOUR_API_KEY
Application: Craft realistic spear-phishing campaigns

OSINTframework.com

Directory: Tools categorized by data type (social, technical, public records)
Usage: Browse categories at https://osintframework.com

Maltego

Capability: Graphical “transforms” linking domains, people, IPs for relationship mapping
Command: Launch GUI with maltego

SpiderFoot

Automation: Over 100 modules for footprinting, port scans, social media, DNS, CVE data
Command: spiderfoot -s example.com -m all -o report.html

Whois

Function: Retrieve domain registration info
Command: whois example.com

recon-ng

Framework: Modular reconnaissance with API integrations
Commands:

recon-ng  
workspace create recon1  
modules load recon/domains-hosts/bing  
set SOURCE example.com  
run

nslookup / dig

nslookup: nslookup example.com
dig: dig example.com any +noall +answer
Zone Transfer: dig @ns1.example.com example.com axfr
Reverse Lookup: dig -x 8.8.8.8 +short

DNSdumpster

Function: Visualize DNS infrastructure
CLI: dnsdumpster example.com

Amass

Enumeration: Passive + active subdomain discovery
Commands:
Passive: amass enum -passive -d example.com
Active: amass enum -active -d example.com
Brute-force: amass enum -brute -d example.com -w wordlist.txt

Shodan

Search: Filter devices by software, port, vulnerability CVE IDs
Commands:
Host info: shodan host 8.8.8.8
Search: shodan search apache port:80
Alerts: shodan alert create port80 --query "apache"

Censys.io

API CLI: censys search "services.service_name: HTTP and location.country_code:US"
Web: Use advanced filters at https://search.censys.io

tcpdump

CLI Capture: tcpdump -i eth0 port 80 -w capture.pcap
Filter host: tcpdump host example.com and port 443

Wireshark

Launch GUI: wireshark -i eth0 -k
Capture filter: tcp port 22
Display filter: http.request.method == "GET"

Aircrack-ng

Monitor Mode: airmon-ng start wlan0
Capture: airodump-ng wlan0mon --write capture
Crack: aircrack-ng capture-01.cap -w wordlist.txt

InSSIDer

GUI Tool: Launch via desktop icon; no CLI

WiGLE.net

CLI (via wigle-cli): wigle-cli -f example-credentials.conf -lat 37.7749 -lon -122.4194
Web: Search at https://wigle.net

Get Ready: Master these commands to automate and accelerate your reconnaissance & enumeration workflow for successful penetration tests.

Notes

Explorer