# Recopilación de información ## WHOIS {% tabs %} {% tab title="CLI" %} ```bash whois test.com whois -h whois.godaddy.com test.com ``` > Este protocolo trabaja en el puerto 43 TCP. > {% endtab %} {% tab title="Online" %} * [https://who.is/ ](https://who.is/https://whois.domaintools.com/https://bgp.he.net/https://networking.ringofsaturn.com/Tools/whois.phphttps://www.networksolutions.com/whoishttp://www.betterwhois.com/https://lookup.icann.org/https://www.namecheap.com/domains/whois/) * [https://whois.domaintools.com/ ](https://who.is/https://whois.domaintools.com/https://bgp.he.net/https://networking.ringofsaturn.com/Tools/whois.phphttps://www.networksolutions.com/whoishttp://www.betterwhois.com/https://lookup.icann.org/https://www.namecheap.com/domains/whois/) * [https://bgp.he.net/ ](https://who.is/https://whois.domaintools.com/https://bgp.he.net/https://networking.ringofsaturn.com/Tools/whois.phphttps://www.networksolutions.com/whoishttp://www.betterwhois.com/https://lookup.icann.org/https://www.namecheap.com/domains/whois/) * [https://networking.ringofsaturn.com/Tools/whois.php ](https://who.is/https://whois.domaintools.com/https://bgp.he.net/https://networking.ringofsaturn.com/Tools/whois.phphttps://www.networksolutions.com/whoishttp://www.betterwhois.com/https://lookup.icann.org/https://www.namecheap.com/domains/whois/) * [https://www.networksolutions.com/whois ](https://who.is/https://whois.domaintools.com/https://bgp.he.net/https://networking.ringofsaturn.com/Tools/whois.phphttps://www.networksolutions.com/whoishttp://www.betterwhois.com/https://lookup.icann.org/https://www.namecheap.com/domains/whois/) * [http://www.betterwhois.com/ ](https://who.is/https://whois.domaintools.com/https://bgp.he.net/https://networking.ringofsaturn.com/Tools/whois.phphttps://www.networksolutions.com/whoishttp://www.betterwhois.com/https://lookup.icann.org/https://www.namecheap.com/domains/whois/) * [https://lookup.icann.org/ ](https://who.is/https://whois.domaintools.com/https://bgp.he.net/https://networking.ringofsaturn.com/Tools/whois.phphttps://www.networksolutions.com/whoishttp://www.betterwhois.com/https://lookup.icann.org/https://www.namecheap.com/domains/whois/) * [https://www.namecheap.com/domains/whois/](https://who.is/https://whois.domaintools.com/https://bgp.he.net/https://networking.ringofsaturn.com/Tools/whois.phphttps://www.networksolutions.com/whoishttp://www.betterwhois.com/https://lookup.icann.org/https://www.namecheap.com/domains/whois/) {% endtab %} {% endtabs %} ## Enumeración a través de DNS {% tabs %} {% tab title="NSLookup CLI" %} * Comandos one line: ```bash nslookup test.com nslookup -type=PTR 200.0.0.1 nslookup -type=MX test.com ``` * Modificación de parámetros dentro de NSLookup: ```bash nslookup server 192.168.1.1 set type=ns test.com set type=mx test.com ``` {% endtab %} {% tab title="NSLookup Online" %} * [https://network-tools.com/nslookup/ ](https://network-tools.com/nslookup/https://www.dnsqueries.com/en/https://mxtoolbox.comhttps://dnsdumpster.com/) * [https://www.dnsqueries.com/en/ ](https://network-tools.com/nslookup/https://www.dnsqueries.com/en/https://mxtoolbox.comhttps://dnsdumpster.com/) * [https://mxtoolbox.com ](https://network-tools.com/nslookup/https://www.dnsqueries.com/en/https://mxtoolbox.comhttps://dnsdumpster.com/) * [https://dnsdumpster.com/](https://network-tools.com/nslookup/https://www.dnsqueries.com/en/https://mxtoolbox.comhttps://dnsdumpster.com/) {% endtab %} {% tab title="Dig" %} ```bash dig test.com +short dig test.com PTR dig test.com MX dig test.com NS dig +nocmd test.com MX +noall +answer ``` {% endtab %} {% tab title="DNSEnum" %} ```bash dnsenum test.com dnsenum test.com -f subdomains_wordlist_bruteforce.txt ``` {% endtab %} {% tab title="Fierce" %} ```bash fierce --domain test.com ``` {% endtab %} {% endtabs %} {% tabs %} {% tab title="DNSMap" %} ```bash dnsmap test.com ``` {% endtab %} {% tab title="DNSRecon" %} ```bash dnsrecon -d test.com -a ``` {% endtab %} {% tab title="Transferencia de zonas" %} * Windows: ```batch nslookup server ns.test.com ls -d test.com ``` * Linux: ```bash dig axfr @192.168.1.1 test.com dig axfr @test.com test.com +nocookie ``` {% endtab %} {% endtabs %} ## Enumeración de direcciones IP {% tabs %} {% tab title="NSLookup" %} ```bash nslookup ns.target.com ``` {% endtab %} {% tab title="Buscadores" %} * [https://reverseip.domaintools.com/ ](https://reverseip.domaintools.com/https://www.robtex.com/https://whois.arin.net/https://bgp.he.net/) * [https://www.robtex.com/ ](https://reverseip.domaintools.com/https://www.robtex.com/https://whois.arin.net/https://bgp.he.net/) * [https://whois.arin.net/ ](https://reverseip.domaintools.com/https://www.robtex.com/https://whois.arin.net/https://bgp.he.net/) * [https://bgp.he.net/](https://reverseip.domaintools.com/https://www.robtex.com/https://whois.arin.net/https://bgp.he.net/) {% endtab %} {% tab title="Fping" %} ```bash fping -a -g 192.168.1.0/24 fping -A 192.168.1.1 -r 0 -e ``` * `-a` hosts que se encuentran activos * `-g` genera una lista de targets usando dirección/máscara * `-A` muestra los targets por dirección * `-r` cantidad de veces que se reintentará (por defecto son 3) * `-e` muestra el tiempo de demora en volver la respuesta {% endtab %} {% tab title="NMAP" %} ```bash nmap -sn 192.168.1.0/24 nmap -sn --disable-arp-ping 192.168.1.0/24 nmap -sn --send-ip 192.168.1.0/24 nmap -sn -n -PS21,22,23,53,80,110,135,443,445 192.168.1.0/24 ``` * `-sn` realiza un escaneo de ping o ping sweep * `--disable-arp-ping` deshabilita el ARP/ND, y envía solo mensajes ICMP * `--send-ip` envía mensajes raw del nivel IP (similar al `--disable-arp-ping`) * `-n` no se realiza la resolución de nombres * `-PS` descubrimiento a través del uso de TCP SYN/ACK, usando por defecto el puerto 80 {% endtab %} {% endtabs %} {% tabs %} {% tab title="Hping" %} ```bash hping3 -1 192.168.1.1 -c 3 hping3 -2 192.168.1.1 -c 3 hping3 -S 192.168.1.1 -c 3 hping3 -S 192.168.1.1 -c 3 -p 80 hping3 --icmp-ts 192.168.1.1 -c 3 -v hping3 -1 192.168.1.x --rand-dest -I eth0 ``` * `-1` modo ICMP * `-2` modo UDP * `-S` modo TCP SYN (el puerto por defecto es el 0) * `-p` puerto de destino a escanear * `--icmp-ts` usa ICMP timestamp * `-v` verbose * `-c` cantidad de paquetes a enviar * `--rand-dest` escaneo random de destinos cuando se tiene una X en la dirección * `-I` especificamos la interfaz de origen {% endtab %} {% tab title="Servidores DNS activos" %} ```bash nmap -sS -p53 192.168.1.0/24 nmap -sU -p53 192.168.1.0/24 nmap -sS -sU -p53 -n -Pn -iL ip-list.txt ``` {% endtab %} {% endtabs %}