README.md

Perimeter

• https://pentest-tools.com/home

• https://hackertarget.com/ip-tools/

• DNS

  • $ nslookup example.com
  • Subdomains & AXFR
  • AS details
  • $ whois example.com
  • $ whois 127.0.0.1
  • Check for DNS Amplification

• CMS, Stack, Vulns

  • WhatWeb, Wappalyzer
  • Shodan / Censys / SecurityTrails

• Google Dorks

  • /robots.txt
  • /sitemap.xml

Autonomous Systems

• https://hackware.ru/?p=9245

Info via IP

dig:

$ dig $(dig -x 127.0.0.1 | grep PTR | tail -n 1 | grep -Eo '[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}').origin.asn.cymru.com TXT +short

whois:

$ whois -h whois.cymru.com -- '-v 127.0.0.1'
$ whois -h whois.radb.net 127.0.0.1

Info via ASN

whois:

$ whois -h whois.cymru.com -- '-v AS48666'
$ whois -h whois.radb.net AS48666

Search AS

• https://radar.qrator.net/search?query=AS31337
• https://github.com/nitefood/asn

Map IP addresses to AS by origin and netname ignoring potentionally unwanted netname values by keywords:

{% code title="whois.sh" %}

 #!/bin/bash
 # Usage: whois.sh ip_list.txt

for ip in `cat $1`; do
  WHOIS=`whois $ip`
  ASNUM=`echo $WHOIS | grep -i "origin:" | tr -d ' ' | cut -d ":" -f 2 | tr $'\n' ','`
  NETNAME=`echo $WHOIS | grep -i "netname:" | tr -d ' ' | cut -d ":" -f 2`
  if ! echo "$NETNAME" | grep -iqF -e pppoe -e ipoe; then
    echo "$ASNUM,$NETNAME,$ip"
   fi
done

{% endcode %}

One-liner providing the input from DivideAndScan:

$ for i in `das -db corp scan -ports all -show -raw | sort -u`; do whois $i | grep -e org-name: -e netname: -e route: -e origin:; echo ---; done

Using ansmap:

$ asnmap -i `das -db corp scan -ports all -show -raw | sort -u | sed -z 's/\n/,/g;s/,$/\n/'` -silent
$ asnmap -d `cat domains.txt | sed -z 's/\n/,/g;s/,$/\n/'` -silent

Difference between as-name, aut-num, origin, netname, etc. may be found on RIPE.