Cyber Tools


  1. Familytreenow
  2. Meterpreter - Whenever posible use this.
  3. haveibeenpwned - has an email address been compromised
  4. google hack google dorks database
  5. nslookup
  6. shoden
  7. Netcraft 
  8. shodan
  9. arin - 
  10. edgar - company registration information
  11. google hacking - tricks for using google search PDF Book
  12. httrack - copy a persons web site
  13. maltigo 
  14. harvester 
  15. metagoofil
  16. nslookup - search DNS servers
  17. Nmap - scan for open ports
  18. Digg
  19. insecam - insecure webcams


Metagoofil is a Linux based information gathering tool designed for extracting metadata of public documents (.pdf, .doc, .xls, .ppt, .odp, .ods).

Screenshot Here The command to run metagoofil is as follows: -d <client domain> -l 100 -f all -o <client domain>.html -t micro-files

The Harvester

TheHarvester is a tool, written by Christian Martorella, that can be used to gather e-mail accounts and subdomain names from different public sources (search engines, pgp key servers). Is a really simple tool, but very effective.

root@pentest:/pentest/enumeration/theharvester# ./

Examples:./ -d -l 500 -b google
         ./ -d -b pgp
         ./ -d microsoft -l 200 -b linkedin

TheHarvester will search the specified data source and return the results. This should be added to the OSINT document for use at a later stage.

root@pentest:/pentest/enumeration/theharvester# ./ -d -b google -l 500


Once the appropriate Registrar was queried we can obtain the Registrant information. There are numerous sites that offer WHOIS information; however for accuracy in documentation, you need to use only the appropriate Registrar.


Nmap ("Network Mapper") is the de facto standard for network auditing/scanning. Nmap runs on both Linux and Windows. Nmap is available in both command line and GUI versions. For the sake of this document, we will only cover the command line.

  nmap -v -A
  nmap -v -sn
  nmap -v -iR 10000 -Pn -p 80

Nmap has dozens of options available. Since this section is dealing with port scanning, we will focus on the commands required to perform this task. It is important to note that the commands utilized depend mainly on the time and number of hosts being scanned. The more hosts or less time that you have to perform this tasks, the less that we will interrogate the host. This will become evident as we continue to discuss the options.

Based on the IP set being assessed you would want to scan both the TCP and UDP ports across the range 1 to 65535. The command that will be utilized is as follows: 

nmap -A -PN -sU -sS -T2 -v -p 1-65535 <client ip range>/<CIDR> or <Mask> -oA NMap_FULL_<client ip range>
nmap -A -PN -sU -sS -T2 -v -p 1-65535 -oA NMap_FULL_client

Starting Nmap 5.51 ( ) at 2011-04-22 22:27 Eastern Daylight Time

NSE: Loaded 57 scripts for scanning.
Initiating Parallel DNS resolution of 1 host. at 22:27
Completed Parallel DNS resolution of 1 host. at 22:27, 0.10s elapsed
Initiating SYN Stealth Scan at 22:27
Scanning ( [65535 ports]
Discovered open port 80/tcp on

On large IP sets, those greater than 100 IP addresses, do not specify a port range. The command that will be utilized is as follows: 

nmap -A -O -PN <client ip range>/<CIDR> or <Mask> -oA NMap_<client ip range>
nmap -A -O -PN -oA NMap_client

Starting Nmap 5.51 ( ) at 2011-04-22 22:37 Eastern Daylight Time

Nmap scan report for (
Host is up (0.13s latency).
rDNS record for
Not shown: 999 filtered ports
80/tcp open  http    Apache httpd 2.2.3 ((CentOS))
| http-robots.txt: 2 disallowed entries
|_/click.php /ud.php
|_http-methods: No Allow or Public header in OPTIONS response (status code 200)
|_http-favicon: domain parking
Warning: OSScan results may be unreliable because we could not find at least 1 o
pen and 1 closed port
Device type: general purpose
Running (JUST GUESSING): Linux 2.6.X (92%), OpenBSD 4.X (88%), FreeBSD 6.X (88%)

Google Hacking