Overview

Reconnaissance (information gathering) is the practice of applying passive/active methods of obtaining information about the target system before performing the attack.

Passive: Passive reconnaissance is what happens when you don’t communicate with the target.

Active: Active reconnaissance is the phase you apply when you are investigating your target. It involves communicating directly with the target.

Location & job company information

Location information :

  • Satellite images

  • Drone recon

  • Building layout (badge readers, break areas, security, fencing)

Job information :

  • Employees (name, job title, phone number, manager, etc.)

  • Pictures (badge photos, desk photos, computer photos, etc.)

Identifying the target

What is in / out of the scope ? Define it !

Target validation : WHOIS, nslookup, dnsrecon

Email address gathering

Used to determine the email pattern.

https://hunter.io/search → need to be registered

Few features:

  • export to csv

  • view departments

  • view sources

Gathering breached credentials with a website

LogoHave I Been Pwned: Check if your email has been compromised in a data breach
LogoIntelligence X
LogoDeHashed — #FreeThePassword

Gathering breached credentials with Breach-Parse

https://github.com/hmaverickadams/breach-parse

Download breached password list from magnet located here:

magnet:?xt=urn:btih:7ffbcd8cee06aba2ce6561688cf68ce2addca0a3&dn=BreachCompilation&tr=udp%3A%2F%2Ftracker.openbittorrent.com%3A80&tr=udp%3A%2F%2Ftracker.leechers-paradise.org%3A6969&tr=udp%3A%2F%2Ftracker.coppersurfer.tk%3A6969&tr=udp%3A%2F%2Fglotorrents.pw%3A6969&tr=udp%3A%2F%2Ftracker.opentrackr.org%3A1337

If you don't store the password list (BreachCompilation) in /opt/breach-parse, specify the location like: ./breach-parse.sh @gmail.com gmail.txt "~/Downloads/BreachCompilation/data"

Run ./breach-parse.sh for instructions

Utilizing theHarvester

theHarvester --help

theHarvester -d <domain> -b google,linkedin

Hunting subdomains

sublist3r --help

sublist3r -d <domain> Search for patterns, password reuse, idea of username etc.--> it can take some time

https://crt.sh/ --> %.<domain> (% = wildcard)

https://github.com/OWASP/Amass

amass --help

typical parameters for DNS enumeration: amass enum -v -src -ip -brute -min-for-recursive 2 -d example.com

check if the website is alive or not thanks to https://github.com/tomnomnom/httprobe --> need to install go first

Identifying website technologies

https://builtwith.com/

whatweb https://<website>

wappayzer extension

Information gathering with Burp Suite

  • Intercept on --> check and modify data send

  • Target --> Site map to see requests on website properly

  • HTTP Request & Response

Google fu

https://ahrefs.com/blog/google-advanced-search-operators/

https://gist.github.com/sundowndev/283efaddbcf896ab405488330d1bbc06

site:<domain> -www (find all the websites which finish by <domain> and without www)

site:<domain> filetype:pdf

"research" --> Google will interpret everything in between these quotation marks as exact and only return the results of the exact phrase provided.

Some google dorking :

Term

Action

Example

filetype:

Search for a file by its extension (e.g. PDF)

cache:

View Google's Cached version of a specified URL

intitle:

The specified phrase MUST appear in the title of the page

intitle:index.of

Utilizing social media

Use LinkedIn, twitter to get username, pictures, badges and so on

Extract employee names from companies using linkedin :

LogoGitHub - m8sec/CrossLinked: LinkedIn enumeration tool to extract valid employee names from an organization through search engine scrapingGitHub

PreviousReconnaissanceNextEnumeration

Last updated

Was this helpful?