search

Overview

Reconnaissance (information gathering) is the practice of applying passive/active methods of obtaining information about the target system before performing the attack.

Passive: Passive reconnaissance is what happens when you don’t communicate with the target.

Active: Active reconnaissance is the phase you apply when you are investigating your target. It involves communicating directly with the target.

hashtag
Location & job company information

Location information :

  • Satellite images

  • Drone recon

  • Building layout (badge readers, break areas, security, fencing)

Job information :

  • Employees (name, job title, phone number, manager, etc.)

  • Pictures (badge photos, desk photos, computer photos, etc.)

hashtag
Identifying the target

What is in / out of the scope ? Define it !

Target validation : WHOIS, nslookup, dnsrecon

hashtag
Email address gathering

Used to determine the email pattern.

https://hunter.io/searcharrow-up-right → need to be registered

Few features:

  • export to csv

  • view departments

  • view sources

hashtag
Gathering breached credentials with a website

LogoHave I Been Pwned: Check if your email address has been exposed in a data breachHave I Been Pwnedchevron-right
LogoIntelligence Xintelx.iochevron-right
LogoDeHashed — #FreeThePasswordwww.dehashed.comchevron-right

hashtag
Gathering breached credentials with Breach-Parse

https://github.com/hmaverickadams/breach-parsearrow-up-right

Download breached password list from magnet located here:

magnet:?xt=urn:btih:7ffbcd8cee06aba2ce6561688cf68ce2addca0a3&dn=BreachCompilation&tr=udp%3A%2F%2Ftracker.openbittorrent.com%3A80&tr=udp%3A%2F%2Ftracker.leechers-paradise.org%3A6969&tr=udp%3A%2F%2Ftracker.coppersurfer.tk%3A6969&tr=udp%3A%2F%2Fglotorrents.pw%3A6969&tr=udp%3A%2F%2Ftracker.opentrackr.org%3A1337

If you don't store the password list (BreachCompilation) in /opt/breach-parse, specify the location like: ./breach-parse.sh @gmail.com gmail.txt "~/Downloads/BreachCompilation/data"

Run ./breach-parse.sh for instructions

hashtag
Utilizing theHarvester

theHarvester --help

theHarvester -d <domain> -b google,linkedin

hashtag
Hunting subdomains

sublist3r --help

sublist3r -d <domain> Search for patterns, password reuse, idea of username etc.--> it can take some time

https://crt.sh/arrow-up-right --> %.<domain> (% = wildcard)

https://github.com/OWASP/Amassarrow-up-right

amass --help

typical parameters for DNS enumeration: amass enum -v -src -ip -brute -min-for-recursive 2 -d example.com

check if the website is alive or not thanks to https://github.com/tomnomnom/httprobearrow-up-right --> need to install go first

hashtag
Identifying website technologies

https://builtwith.com/arrow-up-right

whatweb https://<website>

wappayzer extension

hashtag
Information gathering with Burp Suite

  • Intercept on --> check and modify data send

  • Target --> Site map to see requests on website properly

  • HTTP Request & Response

hashtag
Google fu

https://ahrefs.com/blog/google-advanced-search-operators/arrow-up-right

https://gist.github.com/sundowndev/283efaddbcf896ab405488330d1bbc06arrow-up-right

site:<domain> -www (find all the websites which finish by <domain> and without www)

site:<domain> filetype:pdf

"research" --> Google will interpret everything in between these quotation marks as exact and only return the results of the exact phrase provided.

Some google dorking :

Term

Action

Example

filetype:

Search for a file by its extension (e.g. PDF)

cache:

View Google's Cached version of a specified URL

intitle:

The specified phrase MUST appear in the title of the page

intitle:index.of

hashtag
Utilizing social media

Use LinkedIn, twitter to get username, pictures, badges and so on

Extract employee names from companies using linkedin :

LogoGitHub - m8sec/CrossLinked: LinkedIn enumeration tool to extract valid employee names from an organization through search engine scrapingGitHubchevron-right

PreviousReconnaissanceNextEnumeration

Last updated