Passive Information Gathering

Website Recon

Command	Description
`whois <domain>`	Registration info: owner, registrar, dates, name servers.
`host <domain>`	Resolve domain to IP (two IPs may indicate CDN or proxy).
`whatweb <domain>`	Identify CMS, server, frameworks, and technologies.
`curl -I http://<domain>`	Grab HTTP response headers (Server, X-Powered-By).
`wafw00f http://<domain> -a`	Detect WAF and identify the solution in use.

DNS Reconnaissance

Command	Description
`dnsrecon -d <domain>`	General DNS recon: records, zone transfer attempt.
`dnsenum <domain>`	DNS enumeration and brute-force attempt.
`dig any <domain>`	Query all DNS record types.
`dig axfr @<nameserver> <domain>`	Attempt DNS zone transfer (AXFR).
`fierce -dns <domain>`	DNS brute-force for subdomains.
`nmap -p 177 -A <IP>`	Identify BIND DNS server.

Subdomain Enumeration

Command	Description
`sublist3r -d <domain>`	Find subdomains via search engines (Google, Bing, etc.).
`sublist3r -d <domain> -o subdomains.txt`	Save results to a file.
`amass enum -d <domain>`	Comprehensive subdomain discovery.

Google Dorks

Dork	Description
`site:<domain>`	All indexed pages for a domain.
`site:*.<domain>`	Subdomains only (excludes main domain).
`site:<domain> inurl:admin`	Pages with "admin" in the URL.
`site:*.<domain> intitle:<keyword>`	Subdomains with a keyword in the title.
`site:*.<domain> filetype:pdf`	PDFs hosted on subdomains.
`inurl:wp-config.bak`	Exposed WordPress backup config files.
`inurl:auth_user_file.txt`	Sites exposing HTTP auth credential files.
`intitle:"index of"`	Directory listing vulnerability.
`cache:<domain>`	Google's cached version of a site.

Email Harvesting

Command	Description
`theharvester -d <domain> -b google,yahoo,bing`	Harvest emails and names from search engines.
`theharvester -d <domain> -b all -f output.html`	Full harvest, save to HTML.

Leaked Credentials

Resource	Description
`https://haveibeenpwned.com`	Check if an email appeared in known breaches.
`https://www.dehashed.com`	Search leaked credential databases.