- Target validation
- Search for email addresses of employees
- What's the format? Does it change for founders, chief officers etc.?
- Search for corporate social media accounts
- Use whois
whois targetcorp.com
- Google Dorking
- Start searching for PHP files and directory listing
- Search for any company acquisitions of the target
- See also Content Discovery
- See each section of this chapter
- Use
WHOIS,nslookupanddnsrecon - searchdns.netcraft.com
- Search for registration information and site technology entries
- Recon-ng
-
marketplace search github Search the Marketplace for GitHub modules marketplace info recon/domains-hosts/google_site_web Get information on a module marketplace install recon/domains-hosts/google_site_web Install a module modules load recon/domains-hosts/google_site_web Load a module info Get infos about module loaded options set SOURCE targetcorp.com Set a source run Run a module back Get back to default show Show the results; hosts, companies, leaks etc. - Use
recon/domains-hosts/google_site_webcombined withrecon/hosts-hosts/resolve
-
- Passively search for information in open-source projects and online code repositories.
- Shodan
hostname:targetcorp.com Search for TargetCorp’s domain hostname:targetcorp.com port:'22' Search for TargetCorp’s domain running SSH - Security Headers Scanner
- SSL Server Test
- DMARC Inspector
Note: A company may only approve tests of its own systems. Personal devices, outside email, and social media accounts used by employees often do not come under this authorisation.
- theHarvester
theharvester -d targetcorp.com -b google -d specify target domain, -b set data source to search - hunter.io
- Phonebook.cz
- voilanorbert.com
- Clearbit
Verify email addresses
Malicious hackers frequently post stolen passwords on Pastebin or other less reputable websites. This is useful for generating wordlists.
- An example: rockyou.txt
Search for any acquisitions by the target