Google Dorking & DNS Enumeration

site:microsoft.com -> To view specific results that only contain the target domain name. Imagine that you are looking for search results that contain a keyword but only from the target domain. Here, you can use the keyword site:domain.com If you want to filter your search results so that they include two specific keywords, you can use the keyword1 AND keyword2 site:domain.com syntax We can also use the OR syntax. To filter the search results to display a specific file type from a target domain, use the site:domain.com filetype:file type syntax To discover specific URLs that contain a specific keyword within their page title, use the site:domain.com intitle:keyword syntax To remove the display results of URLs for a target domain that does not include a specific keyword, use the site:domain.com –keyword syntax Tip You can use the intext: syntax with a keyword to search for a specific web page that contains the keyword within its text/body. Using inurl: with a keyword allows you to filter URLs that contain the specific keywords within its URL, which may lead to a potentially sensitive directory in a company’s domain. ...

November 24, 2025 · 5 min · 880 words · 0x-s0M3n4th

Enumerating Subdomains

DNSMap DNSmap works a bit differently from the tools we looked at in the previous sections. DNSmap attempts to enumerate the subdomains of an organization’s domain name by querying a built-in wordlist on Kali Linux. Once a subdomain has been found, DNSmap will also attempt to resolve the IP address automatically. sublist3r You can leverage the power of search engines for discovering sub-domains by using the Sublist3r tool. Sublist3r is a Python-based tool that is used to enumerate (extract/obtain) the subdomains of a given website using OSINT, such as search engines and other internet indexing platforms. ...

November 24, 2025 · 2 min · 266 words · 0x-s0M3n4th

Profiling Websites Using EyeWitness

After discovering the subdomains of a target domain, it’s important to check each one to determine which subdomain leads to a login portal or a sensitive directory of the organization. However, there may be a lot of subdomains to check manually, and this process can be very time-consuming. As an aspiring penetration tester, you can be strategic and use a tool such as EyeWitness, which allows you to automate the process of checking each subdomain within a file and taking a screenshot of them. ...

November 24, 2025 · 2 min · 269 words · 0x-s0M3n4th

Active Scanning Techniques

During the reconnaissance phase, penetration testers will eventually need to directly engage the target by performing an active information gathering technique known as scanning. Scanning is a technique that’s used to discover live systems on a network, identify the open service ports on a system, and discover vulnerabilities on host machines and even their operating system architecture. The information that’s gathered from scanning helps the penetration tester gain a clearer view of their targets compared to passive information gathering. When we perform this type of scans, chances are that we will get blocked most of the times because of the firewalls ...

November 24, 2025 · 4 min · 845 words · 0x-s0M3n4th

Probing Open Services, Ports & OS

After discovering the hosts on a network, the next phase is to identify any open service ports on the target system and determine which services are mapped to those open ports. There are various techniques that a penetration tester can use to identify the open ports on a target system. Some techniques are manual, while others can simply be automated using the Nmap tool Basic nmap scan, this will perform a scan of the 1000 commonly used ports: nmap 172.30.1.134 Tip As an aspiring ethical hacker and penetration tester, if you’re not familiar with some of the services discovered from a scan, you must perform research to gain a better understanding of a service role and its functionality on a system and network. ...

November 24, 2025 · 5 min · 1022 words · 0x-s0M3n4th

Evasion Techniques

Whenever a packet is sent from one device to another, the source IP address is included within the header of the packet. This is the default behavior of the TCP/IP protocol stack. Avoiding detections using decoys: If you want to perform a scan on the target system at 172.30.1.134 and use the decoy feature of Nmap, we can use the –D syntax nmap target_ip -D DECOY_IP More nmap based IDS evasion scans: nmap -Pn -sV -p80,443 -f{IDS EVASION} --mtu 8 IP_ADDRESS nmap -Pn -sS -sV -p445,3389 -f --data-length 200 -D{decoy} GATEWAY_IP_FOR_DECOY ATTACKING_IP nmap -Pn -sS -sV -p445,3389 -f --data-length 200 -g 53 -D(decoy) GATEWAY_IP_FOR_DECOY ATTACKING_IP COMMAND BRIEFS: ...

November 24, 2025 · 2 min · 223 words · 0x-s0M3n4th

Spoofing MAC & IP Address

NMAP supports both MAC, IP address spoofing, follow the command. nmap -Pn --spoof-mac Dell target_ip I captured the live packet using wireshark it actually spoofed the MAC address to DELL’S MAC address: you can set the option --spoof-mac 0 to let NMAP choose which vendor it wants to choose. To spoof an IP address during a scan while using Nmap, use the –S command: sudo nmap -S spoofed_ip -e eth0 target_ip # sudo nmap -S 192.168.0.1 -e eth0 172.30.1.134 IP spoofing won’t work well, as when the target will try to do Three-way-handshake the TCP SYN-ACK reply will go to the spoofed IP, we will never receive a connection/scan results back. ...

November 24, 2025 · 2 min · 306 words · 0x-s0M3n4th

Enumerating Common Network Services

Scanning using metasploit: start the msfconsole sudo msfconsole search for portscan modules: msf> search portscan 3. Let’s use the 6th module and do the operation: use 6 options set RHOSTS 172.30.1.134 # setting the targt_ip run Enumerating SMB using msfconsole: Server Message Block (SMB) is a network service that allows hosts to send resources such as files to other hosts on a network. As an aspiring ethical hacker and penetration tester, it’s always recommended to enumerate file shares once it’s within your scope for the penetration test. ...

November 24, 2025 · 2 min · 329 words · 0x-s0M3n4th

User Enumeration Using Noise Authentication

As many organizations are using cloud-based email solutions such as Office 365 and Google Workspace for their employees, they are also synchronizing their Active Directory user database with the email services of their preferred cloud-based email provider. This means that an employee’s login username is the same as the username portion of their email address. When we get into any login page, there is a high chance that we can guess an username/email and later the page will give us a password incorrect error, through which we can identify that we are having a valid username which is can also be found in the target’s AD services.

November 24, 2025 · 1 min · 107 words · 0x-s0M3n4th

Finding Data Leaks on the Cloud

There are some very well-known cloud providers within the industry: • Amazon Web Services (AWS) • Microsoft Azure • Google Cloud A common service that cloud providers usually offer to customers is a storage facility. The AWS storage facility is known as Simple Storage Service (S3). Whenever a customer enables the S3 service, a bucket is created. A bucket is a storage unit within the AWS platform where the customer can add or remove files. In Microsoft Azure, the file storage facility is known as Azure Files. Additionally, on Google Cloud, the storage facility is known as Google Cloud Storage. ...

November 24, 2025 · 3 min · 449 words · 0x-s0M3n4th