Passive Reconnaissance

scan network, open data, gather information

Passive Recon means we use publicly available information to profile a target.

The resources on this page require just a web browser.

Learning Networking Fundamentals is a manual process.


IBM — Fundamentals of Networking

Microsoft — Understanding TCP/IP and subnetting basics

Hal Burch & Bill Cheswick — Tracing Anonymous Packets to Their Approximate Source

Oracle — Overview of Mobile IP


A basic web stack consists of an operating system, 1 programming language, database software and a web server. LAMP Stack acronym stands for Linux, Apache, MySQL, and PHP an open-source web development platform. WISA Stack acronym stands for Windows, IIS, SQL server, and ASP.NET.

Built With Trends Web and Internet Technology Usage Statistics

Browser Audits

Web app security testing with browsers — by Abhi M. Balakrishnan, SecurityCompass
Can you perform web application security testing just using a browser? Think of a scenario where you have to do security testing from a very limited environment where you have no access to run scripts or tools and all you have is a browser. This guide looks at web application security testing from such a locked down scenario. The goal is to cover as many security test cases as possible from a browser.

Browser Audit 400+ tests — by Department of Computing at Imperial College London
The modern web relies on lots of security standards and features to keep you and your data safe as you browse the web. How effective they are at protecting you depends on how well your web browser implements them: if your browser contains bugs, it might not be doing everything it can to keep you safe.

App & Browser Testing Made Easy — by BrowserStack
The most reliable mobile app & cross browser testing. Test regressions, reproduce bugs and ensure compatibility.


Single Domain Certificates will secure your domain, email and control panel logins.

Wildcard Certificates secure multiple sub-domains for a domain. Known for its unique requirement of a *, or asterisk, to be used during the generation process.

Multi-Domain (SAN) Certificates protect multiple fully qualified domain names (“”). Certain server environments will not allow multiple certificates to be installed, so this is an easy and cost-effective solution.

Subject Alternative Name (SAN) is an extension to the X.509 specification that allows users to specify additional host names for a single SSL certificate. An SSL certificate with more than one name is associated using the SAN extension.

Multi-Domain Wildcard Certificates are unique in the fact that there is nothing it cannot secure. Often used for organizations with complicated web-infrastructure. These certificates will secure up to 250 domains on a single certificate, depending on the vendor.

Certificate Tools

SSL Blacklist (SSLBL) allows you to browse all malicious SSL certificates identified by SSLBL.

Google's Certificate Transparency project aims to safeguard the certificate issuance process by providing an open framework for monitoring and auditing HTTPS certificates. Certificates and issuing CAs have proven vulnerable to compromise and manipulation. Certificate Search Enter an Identity (Domain Name, Organization Name, etc), a Certificate Fingerprint (SHA-1 or SHA-256) or a ID. Wildcard: %domain-name

Spyse SSL/TLS Data Providing Service is a cybersecurity search engine which collects and maintains tons of valuable information about SSL/TLS certificates.

Rapid7 Sonar SSL dataset contains a collection of metadata related to the net new X.509 certificates observed in each study when considering all SSL studies that ran prior. The _hosts and _endpoints files provide mapping between the IPs/endpoints and the fingerprint of the X.509 certificate presented.

SSL Labs Server Test This free online service performs a deep analysis of the configuration of any SSL web server on the public Internet.

Censys X.509 certificate scanner. Raw and parsed data certificates synchronized with public CT logs or discovered via Internet-wide scans.

Built With Trends SSL usage distribution in the top 1 million sites.

Qualys CertView is totally free, and there’s no software to download or install. See your SSL/TLS configuration grades with recommended fixes. Identify the certificate issuer. Find out when each certificate will expire.

Domain Name System

The Domain Name System is a hierarchical and decentralized naming system for computers, services, and resources connected to the Internet or a private network. It associates various information with domain names assigned to each participating entity.

AXFR is a protocol for “zone transfers” for replication of DNS data across multiple DNS servers. Unlike normal DNS queries that require the user to know some DNS information ahead of time, AXFR queries reveal resource records including subdomain names.

Domain-based Message Authentication, Reporting and Conformance

DMARC is a mechanism for domain owners to indicate how mail purporting to originate from their domain should be authenticated. It builds on SPF and DKIM, providing a method to set policy and to give reporting of failures.

DMARC Deployment Tools DMARC Record Creation, DNS Record Lookup and Parsing, Message Validation, and Report Parsing and Display

Kitterman SPF Record Testing Tools Retrieves SPF (Sender Policy Framework) records for the specified domain name and determines if the record is valid.

DKIM, SPF, Validator Verify the end-to-end functionality of your configuration.


Dig (Domain Information Groper) will query the Domain Name System. The results are almost always Domain Profile & Registrar, Registrant (usually protected by domain name privacy), Name Servers, Transfer Status, Registration, Timestamp, IP association, Title, SEO output, web servers (Apache, LightSpeed, Sun Java System Web Server, JigSaw) outbound links, MX Records, Reverse and PTR DNS records.

ImmuniWeb performs security and privacy checks. GDPR & PCI DSS compliance, CMS and its components for outdated versions and publicly-known vulnerabilities, HTTP methods, headers (HSTS, X-Frame-Options, X-Powered-By, X-Content-Type-Options, X-XSS-Protection, CSP, Public-Key-Pins and more) methods that may put web server, web application or website visitors at risk, analysis (syntax, validity, trustworthiness) of HTTP security headers, altered, and thus potentially malicious, JS libraries, ViewState for misconfigurations and security weaknesses, web application cookies for security flags, domain’s presence in various blacklists, Cryptojacking within JS code, and WAF presence detection.

G Suite Toolbox gives you browser info check, MX Dig, HAR analyzer, log analyzer, logger shark, message headers, and additional tools such as encode/decode.

Robotex uses various sources to gather public information about IP numbers, domain names, host names, autonomous systems, routes etc. It then indexes the data in a big database and provide free access to the data.

Netcraft Bad Site Report will list the domains background, network, hosting history, sender policy framework, check for DMARC, check for web trackers, site technology, character encoding, http compression, web browser targeting, doc type, and check for html version and css usage.

IntoDNS checks the health and configuration and provides DNS report and mail servers report. Suggestions to fix and improve them, with references to protocols’ official documentation. Online Ping, Traceroute, DNS lookup, WHOIS, Port check, Reverse lookup, Proxy checker, Bandwidth meter, Network calculator, Network mask calculator, Country by IP, Unit converter.

IPFingerPrints IP Address Geographical Location Finder helps you find the approximate geographic location of an IP address along with some other useful information including ISP, TimeZone, Area Code, State etc. check mail server encryption.

UpGuard for a free risk assessment of that website.

Mozilla Observatory has helped over 170,000 websites by teaching developers, system administrators, and security professionals how to configure their sites safely and securely.

Sucuri SiteCheck scanner will check the website for known malware, viruses, blacklisting status, website errors, and out-of-date software, and malicious code.

Quttera tool scans 20MB of the URL response content and can effectively identify evolving web threats.

Zulu Dynamic risk scoring engine for web based content. How safe is your web destination? is your one source for free DNS related tools and information!


Can be used for email confirmation or registration. Vendors may test beta software on subdomains giving access to employee or client only.

DNS Trails data for security companies, researchers and teams who need to drill down, find suspicious changes to DNS records, and prevent future fraudulent or criminal activity.

DNSdumpster is a domain research tool that can discover hosts related to a domain. Finding visible hosts from the attackers perspective is an important part of the security assessment process. Save results by .xlxs or image map.

PenTest-Tools Subdomain Scan lists subdomains which are vulnerable to hostile takeover. You get 2 free scan credits.

NMMapper finds subdomains using Sublist3r, DNScan, Anubis, Amass, Nmap-dns-brute.nse, Lepus, Findomain, Censys

WikiHak Sub Scanner helps penetration testers and ethical hackers to find and gather subdomains of any domain online.

Subdomain Takeovers

CNAME records must always be pointed to another domain name and never to an IP address. Should an attacker edit the subdomain's CNAME, the owner of the domain, and hosting provider could potentially host or redirect traffic to malicious content.

Indirect subdomain takeover attacks can happen when one includes web resources that are accessed on a third-party service. Consider when a website uses a JavaScript file hosted on GitHub. If the corresponding GitHub username gets deleted, an attacker can claim that name and replace the JavaScript with the attacker's own code.

Subdomain takeover — Chapter one: Methodology by Trung Nguyen shares his discoveries that will show perspective, and how to find vulnerable websites and how to exploit them, on a case by case basis.

The Principles of a Subdomain Takeover digs deep into the matter of subdomain takeovers, to make you understand all you need to know in order to defend yourself.

UltraTools DNS Zone File Dump tool provides DNS zone transfer and DNS server information to help you test DNS zone transfers.

MX Toolbox CNAME lookup test will list CNAME records for a domain in priority order. The CNAME lookup is done directly against the domain's authoritative name server, so changes to CNAME Records should show up instantly. Subdomain Takeover: Basics

HTTP Header Check

Should a webmaster fail to harden the server and website HTTP Headers, they can be left open to a variety of attacks. Common HTTP Headers:

HTTP Strict Transport Security, Content Security Policy, Access-Control-Allow-Origin, X-FrameOptions, X-XSS-Protection, X-Content-Type-Options, Server, X-Powered-By

This Example will show an A+ rating for and an explanation for each header type.

Most of the scanners referenced on this web page will scan for these kind of vulnerabilities.

OWASP Secure Headers Project describes HTTP response headers that your application can use to increase the security of your application. Once set, these HTTP response headers can restrict modern browsers from running into easily preventable vulnerabilities. The OWASP Secure Headers Project intends to raise awareness and use of these headers.

Sensitive File Discovery

webhint is a linting tool (static code analyzer) available in preview mode. Lists every file within a public_html or www folder. Non-public files are excluded.

PenTest-Tools Fuzzer allows you to discover hidden files and directories. You get 2 free scan credits.

SEO Site Checkup Directory Browsing Test checks if your server allows directory browsing.

Google Hacking for Penetration Testers is your Fundamnetal Start to learning Google Hacking.

Google Hacking Diggity Project is a research and development initiative dedicated to investigating Google Hacking, i.e. the latest techniques that leverage search engines, such as Google, Bing, and Shodan, to quickly identify vulnerable systems and sensitive data in corporate networks.

Google Hacking Database (dorks) by Offensive Security is an index of search queries used to find publicly available information, intended for pentesters and security researchers.

Google Dork List full of operators you can use to search.


intitle:"pfsense - Login"
filetype:"xls | xlsx | doc | docx | ppt | pptx | pdf" site:gov "FOUO" | "NOFORN" | "Confidential"

SiteDigger v3 searches Google’s cache to look for vulnerabilities, errors, configuration issues, proprietary information, and interesting security nuggets on web sites.

Bing Hacking Database - BHDB v2 makes Bing hacking just as effective as Google hacking (if not more so) for uncovering vulnerabilities and data leaks on the web.

Hacking CSE for All Top Level Domains Use this document, which provides a quick overview of how you can create a Google CSE of your own that simulates getting the normal full results of Google (i.e. search results across Internet). We accomplish this by creating a Google CSE that returns results for all top level domains (TLDs) – examples: .com, .org. .gov, .edu

File Types

Metedata can be descriptive, structural, administrative, reference, and statistical.

EXE or Executable is the standard file extension used by Windows programs.

Text, Documentation, Scripts: XML, PDF/A, HTML, PHP, CSS, Plain Text.

Still Image: TIFF, JPEG 2000, PNG, JPEG/JFIF, DNG, BMP, GIF.

Geospatial: Shapefile (SHP, DBF, SHX), GeoTIFF, NetCDF.


Video: MOV, MPEG-4, AVI, MXF.

Linux Juggernaut: Linux & Unix File Types

Apple: Apple File System (APFS)

Wikipedia: List of File Formats

[MS-OFFDI]: Microsoft Office File Format Documentation Introduction

File Analysis Tools

FOCA (Fingerprinting Organisations with Collected Archives) is a tool used mainly to find metadata and hidden information in the documents its scans.

MetaData2Go is an online drag and drop file service used to find hidden metadata.

DAM tools: Metadata editing/extraction tools is a large guide for managing, editing, and preserving digital assets.

Hybrid Analysis free malware analysis service for the community that detects and analyzes unknown threats using a unique Hybrid Analysis technology.

VirusTotal analyze suspicious files and URLs to detect types of malware, automatically share them with the security community.

Aconvert basic file format analysis online.

Crowd Response free static host data collection tool.

Toolsley — Figure out the type of a file based on it's contents. Recognizes over two thousand file formats using libmagic. Drag and Drop.

Get Metadata free online exif viewer.

Audacity audio editor online to import your own audios, remove noise, cut and combine clips, apply special audio effects to achieve professional results. Multiple audio effects and integration with other applications.

Using a New, Free Spectrograph Program to Critically Investigate Acoustics A project between Edward Ball at Academo (UK) and Prof. Michael J. Ruiz at UNC Asheville (USA), based on work by Boris Smus, Google (USA).

OPSWAT MetaDefender Malware analysis scan. Drag and drop any file or type the url.

Canary Tokens

Canary Tokens are readable files containing made-up information. Planting these within computer or web server directories will alert you when opened.

Station X provides the framework to automate this task.

OpenCanary is a daemon that runs canary services, which trigger alerts when (ab)used.

Network Scanners gives you ISPs basic info, geo information, maps, and A, B, C Class IP ranges.

IPv6 Online Port Scanner is a standalone web based port scanner. IPv6Scanner is a port scanner that allows you to probe a server for open, closed or filtered ports. You can specify a host name, IPv4 or IPv6 address. The purpose of this tool is to enable the administrators to verify security. SSL cert is not valid.

Shodan is a search engine that lets the user find specific types of computers connected to the internet using a variety of filters. Some have also described it as a search engine of service banners, which are metadata that the server sends back to the client.

Thingful search engine for the Internet of Things.

Zoomeye search engine for open devices that are vulnerable.

IPFingerPrints Network Port Checker & Scanner Tool can be used to identify available services running on a server, it uses raw IP packets to find out what ports are open on a server or what Operating System is running or to check if a server has firewall enabled etc.

Content Management Systems

Search for Common Vulnerabilities and Exposures (CVE) exploits: Joomla, Drupal, Magento, Kentico, TYPO3, Grav, concrete5, Telerik, SharePoint, PrestaShop, DotNetNuke, ExpressionEngine, Umbraco, Contao, Plone, SilverStripe, Textpattern, MODX, Magnolia, Mambo, Sitecore, django CMS, CMS Made Simple, Orchard Project, October, ProcessWire, and b2evolution.

What CMS Is This allows you to scan a website for the type of CMS.

W3Techs allows to scan a website for the type of CMS and other technology versions in use. WordPress Vulnerability Database WordPress CVE compliant archive of public exploits

Rapid 7 WordPress vulnerability & Exploit Database

NIST WordPress National Vulnerability Database

MITRE WordPress CVE Database.

Hacker Target Analysis and Security Scan

Discover vulnerabilities, web server details and configuration errors.

WordPress Scan

Joomla Scan

Drupal Scan

Wayback Machine

Known as the Internet Archive, a web crawler indexes everything available on the clearnet. Since October 2001 free public access to collections of digitized materials, websites, software applications/games, music, movies/videos, moving images, and millions of public-domain books have been archived.

Search - A Basic Guide

GitHub Repositories