This document outlines the methodology and tools used during the reconnaissance, scanning, and enumeration phases of the engagement against itsecgames.com. All commands are included with their purpose and notes.
Target: http://www.itsecgames.com
Date: September 2025
Prepared by: Shubhankar Gupta
Structure of the Report:
You can see the structure of the report: 👉 Structure.md
Final Report:
You can see the Final report: 👉 Final Report.md
Attack Chain Flow:
- 🔍 WHOIS & DNS Discovery
- 🌐 Subdomain Enumeration
- 🗃️ Consolidation & Live Validation
- 🔐 SSL/TLS Analysis
- 🏗️ Technology Fingerprinting
- 🛡️ WAF Detection
- 📡 Header/Banner Inspection
- ⚙️ Port & Service Enumeration
- 📂 Web Directory & File Discovery
Commands:
whois itsecgames.com
dig itsecgames.com
dig -x 31.3.96.40
nslookup itsecgames.com
dig axfr itsecgames.com @ns53.domaincontrol.com
dig axfr itsecgames.com @ns54.domaincontrol.com
dnsrecon -d itsecgames.com -t axfr
host -l itsecgames.com ns53.domaincontrol.comPurpose:
- Revealed registrar, hosting provider, IPs, and DNS records.
- Zone transfer attempts were tested (none succeeded).
- Basic DNS info gathered for further steps.
Commands:
amass enum -passive -d itsecgames.com
amass enum -active -d itsecgames.com
amass enum -brute -d itsecgames.com
fierce --domain itsecgames.com
dnsrecon -d itsecgames.com -t brt
dnsrecon -d itsecgames.com -D /usr/share/wordlists/dns/subdomains-top1mil-5000.txt -t brt
dnsenum itsecgames.com
sublist3r -d itsecgames.com
subfinder -d itsecgames.com | httpx -silent -status-code -title -tech-detect | grep 200Purpose:
- Multiple subdomains discovered.
- HTTPX used to verify alive subdomains.
Commands:
cat amass_passive.txt amass_active.txt subfinder.txt sublist3r.txt fierce.txt | sort -u > consolidated_subdomains.txt
grep -oE "([a-zA-Z0-9_-]+\.)+[a-zA-Z]{2,}" consolidated_subdomains.txt | sort -u > domains.txt
cat domains.txt | httpx -silent -status-code -title -tech-detect -o httpx_alive.txt
cat httpx_alive.txt | grep 200 > domain_200_code.txt
cut -d' ' -f1 domain_200_code.txt | cut -d/ -f3 > live_domains.txtPurpose:
- Consolidated results into one clean domain list.
- Filtered for alive domains (200 OK).
Commands:
echo | openssl s_client -connect itsecgames.com:443 | openssl x509 -noout -text
openssl s_client -connect itsecgames.com:443 -statusPurpose:
- Valid SSL certificate (Let’s Encrypt).
- TLSv1.2 and TLSv1.3 supported.
- OCSP stapling available.
Commands:
whatweb http://www.itsecgames.com/Purpose:
- Detected: Apache, PHP, HTML5.
Commands:
wafw00f http://www.itsecgames.com/Purpose:
- No WAF detected (default Apache behavior).
Commands:
curl -I http://www.itsecgames.com/
nikto -h http://www.itsecgames.com/
nikto -h http://www.itsecgames.com/ -sslPurpose:
- Apache banner exposed.
- Missing security headers (HSTS, CSP, X-Frame-Options).
- Nikto flagged outdated server configuration.
Commands:
nmap -sS -p- -T4 -oN nmap_allports.txt www.itsecgames.com
nmap -sC -sV -p- -O -oN nmap_versions_os.txt itsecgames.com
sudo nmap -sV -sC -p- -A -T4 -oN nmap_aggressive.txt itsecgames.comPurpose:
- Discovered open ports and running services.
- OS fingerprinting enabled.
- Aggressive scan collected detailed info.
Commands:
sudo gobuster dir -u http://www.itsecgames.com/ -w /usr/share/seclists/Discovery/Web-Content/directory-list-2.3-medium.txt -s 200,301,302,403 --status-codes-blacklist "" -t 20 -to 20s 2>/dev/null
sudo ffuf -u http://itsecgames.com/FUZZ -w /usr/share/seclists/Discovery/Web-Content/directory-list-2.3-medium.txtPurpose:
- Directories and hidden endpoints discovered.
- Useful for identifying attack surface.
- Recon completed in a chained manner: Whois → DNS → Subdomains → Consolidation → SSL/TLS → Fingerprinting → WAF Detection → Headers → Nmap → Web Enumeration.
- Identified alive domains, services, banners, and potential weak security headers.
- Provides strong baseline for vulnerability assessment and exploitation phase.