1 min read

In this article by Himanshu Sharma, author of the  Kali Linux – An Ethical Hacker’s Cookbook, we will cover the following recipes:

  • Getting a list of subdomains
  • Shodan honeyscore
  • Shodan plugins
  • Using Nmap to find open ports

(For more resources related to this topic, see here.)

In this article,we’ll dive a little deeper and look at other different tools available for gathering intel on our target. We’ll start by using some of the infamous tools of Kali Linux, such as Fierce.

Gathering information is a very crucial stage of performing a penetration test,as every step we take after this will totally be an outcome of all the information we gather during this stage. So it is very important that we gather as much information as possible before jumping into the exploitation stage.

Getting a list of subdomains

Not always do we have a situation where a client has defined a full detailed scope of what needs to be pentested. So, we will use the followingrecipes to gather as much information we can to perform a pentest.

How to do it…

We will see how to get a list of subdomains in the following ways:


We’ll start with jumping into Kali’s terminal and using the first and mostly widely used tool,Fierce.

  1. To launch Fierce,type fierce –h to see the help menu:
    fierce –dns host.com –threads 10

     Read Online Code Files Kali Linux - An Ethical Hacker

  2. To perform a subdomain scan, we use this command:

    fierce –dns host.com –threads 10


Dnsdumpster is a free project by HackerTarget to lookup subdomains. It relies on https://scans.io/ for its results.

It is pretty simply to use.We type the domain name we want the subdomains for and it will show us the results.

Using Shodan for fun and profit

Shodan is the world’s first search engine to search for devices connected on the Internet. It was launched in 2009 by John Matherly. Shodan can be used to lookup webcams, databases, industrial systems, videogames,and so on. Shodan mostly collects data on the most popular web services running, such as HTTP, HTTPS, MongoDB,and FTP.

Getting ready

To use Shodan, we will need to create an account.

How to do it…

  1. Open your browser and visit https://www.shodan.io:

  2. We begin by performing a simple search for FTP services running.To do this, we can use the following Shodan dorks:

  3. This search can be made more specific by specifying a particular country, organization,and so on:
    port:21 country:"IN" 

  4. We can now see all the FTP servers running in India.We can also see the servers that allow anonymous login and the version of FTP server they are running.
  5. Next, we’ll try the organization filter by typing the following:
    port:21 country:"IN"org:"BSNL"

Shodan has other tags aswell, which can be used to perform advanced searches:

net: To scan IP ranges

city: To filter by city

More details can be found at https://www.shodan.io/explore.

Shodan honeyscore

Shodan Honeyscore is another great project built in Python.It helps us figure out whether an IP address we have is a honeypot or a real system.

How to do it…

  1. To use Shodan Honeyscore, visit https://honeyscore.shodan.io/:

  2. Enter the IP address you want to check, and that’s it!

Shodan plugins

To make our lives even easier,Shodan has plugins for Chrome and Firefox that can be used to check for open ports for websites we visit on the go!

How to do it…

  1. Download and install the plugin from https://www.shodan.io/.
  2. Browse any website, and you will see that by clicking on the plugin,you can see the open ports.


Using Nmap to find open ports

Nmap, or Network Mapper, is a security scanner written by Gordon Lyon. It is used to find hosts and services in a network. It first came out in September 1997. Nmap has various features as well as scripts to perform various tests, such as finding the OS andservice version,and it can be used to brute force default logins too.

Some of the most common types of scan are as follows:

  • TCP connect()scan
  • SYN stealth scan
  • UDP scan
  • Ping scan
  • Idle scan

How to do it…

  1. Nmap comespre installed in Kali Linux. We can type the following command to start it and see all the options available:
    nmap –h

  2. To perform a basic scan,use the following command:
    nmap –sV –Pn x.x.x.x

    Kali Linux - An Ethical Hacker's Cookbook

  3. Here, –Pn implies that we do not check whether the host is up or not by performing a ping request first. The –sVparameter is to list all the running services on the found open ports.
  4. Another flag we can use is–A , which automatically performs OS detection, version detection, script scanning, and traceroute. The command is as follows:
    nmap –A –Pn x.x.x.x
  5. To scan an IP range or multiple IP’s, we can use this command:
    nmap –A –Pn x.x.x.0/24

Using scripts

NSE, or the Nmap scripting engine, allows users to create their own scripts to perform different tasks automatically. These scripts are executed side by side when a scan is run. They can be used to perform more effective version detection,exploitation of a vulnerability, and so on.The command for using a script is this:

nmap –Pn –sV host.com –script dns-brute

The following is the output of the preceding command:

Here,the dns-brutescript tries to fetch available subdomains by brute forcing it against a set of common subdomain names.

See also

  • More information on the scripts can be found in the official NSE documentation at https://nmap.org/nsedoc/


In this article, we learned how to get a list of subdomains on the network. Then we learned how to tell whether a system is a honeypot by calculating its Shodan Honeyscore. Chrome and Firefox have plugins that allow you to do this from your browser itself. Finally, we looked at how to use Nmap to find open ports.

Resources for Article:

Further resources on this subject:


Please enter your comment!
Please enter your name here