Skip to content

Latest commit

 

History

History
111 lines (91 loc) · 4.69 KB

File metadata and controls

111 lines (91 loc) · 4.69 KB

Passive Information Gathering (OSINT)

Index

Notes

  • Target validation
  • Search for email addresses of employees
    • What's the format? Does it change for founders, chief officers etc.?
  • Search for corporate social media accounts
  • Use whois
    • whois targetcorp.com
  • Google Dorking
    • Start searching for PHP files and directory listing
  • Search for any company acquisitions of the target
  • See also Content Discovery
  • See each section of this chapter

Tools

Target validation

  • Use WHOIS, nslookup and dnsrecon
  • searchdns.netcraft.com
    • Search for registration information and site technology entries
  • Recon-ng
    • marketplace search github                                      Search the Marketplace for GitHub modules
      marketplace info recon/domains-hosts/google_site_web           Get information on a module
      marketplace install recon/domains-hosts/google_site_web        Install a module
      modules load recon/domains-hosts/google_site_web               Load a module
      info                                                           Get infos about module loaded
      options set SOURCE targetcorp.com                              Set a source
      run                                                            Run a module
      back                                                           Get  back to default
      show                                                           Show the results; hosts, companies, leaks etc.
      
    • Use recon/domains-hosts/google_site_web combined with recon/hosts-hosts/resolve
  • Passively search for information in open-source projects and online code repositories.
  • Shodan
    hostname:targetcorp.com                  Search for TargetCorp’s domain
    hostname:targetcorp.com port:'22'        Search for TargetCorp’s domain running SSH
    
  • Security Headers Scanner
  • SSL Server Test
  • DMARC Inspector

User Information Gathering

Note: A company may only approve tests of its own systems. Personal devices, outside email, and social media accounts used by employees often do not come under this authorisation.

Email Harvesting

Verify email addresses

Social media tools

Data breaches

Malicious hackers frequently post stolen passwords on Pastebin or other less reputable websites. This is useful for generating wordlists.

Acquisitions

Search for any acquisitions by the target