Overview

Reconnaissance (information gathering) is the practice of applying passive/active methods of obtaining information about the target system before performing the attack.

Passive: Passive reconnaissance is what happens when you don’t communicate with the target.

Active: Active reconnaissance is the phase you apply when you are investigating your target. It involves communicating directly with the target.

Location & job company information

Location information :

Satellite images
Drone recon
Building layout (badge readers, break areas, security, fencing)

Job information :

Employees (name, job title, phone number, manager, etc.)
Pictures (badge photos, desk photos, computer photos, etc.)

Identifying the target

What is in / out of the scope ? Define it !

Target validation : WHOIS, nslookup, dnsrecon

Email address gathering

Used to determine the email pattern.

→ need to be registered

Few features:

export to csv
view departments
view sources

Gathering breached credentials with a website

Have I Been Pwned: Check if your email has been compromised in a data breach

Intelligence X

DeHashed — #FreeThePassword

Gathering breached credentials with Breach-Parse

Download breached password list from magnet located here:

magnet:?xt=urn:btih:7ffbcd8cee06aba2ce6561688cf68ce2addca0a3&dn=BreachCompilation&tr=udp%3A%2F%2Ftracker.openbittorrent.com%3A80&tr=udp%3A%2F%2Ftracker.leechers-paradise.org%3A6969&tr=udp%3A%2F%2Ftracker.coppersurfer.tk%3A6969&tr=udp%3A%2F%2Fglotorrents.pw%3A6969&tr=udp%3A%2F%2Ftracker.opentrackr.org%3A1337

If you don't store the password list (BreachCompilation) in /opt/breach-parse, specify the location like: ./breach-parse.sh @gmail.com gmail.txt "~/Downloads/BreachCompilation/data"

Run ./breach-parse.sh for instructions

Utilizing theHarvester

theHarvester --help

theHarvester -d <domain> -b google,linkedin

Hunting subdomains

sublist3r --help

sublist3r -d <domain> Search for patterns, password reuse, idea of username etc.--> it can take some time

--> %.<domain> (% = wildcard)

amass --help

typical parameters for DNS enumeration: amass enum -v -src -ip -brute -min-for-recursive 2 -d example.com

check if the website is alive or not thanks to --> need to install go first

Identifying website technologies

whatweb https://<website>

wappayzer extension

Information gathering with Burp Suite

Intercept on --> check and modify data send
Target --> Site map to see requests on website properly
HTTP Request & Response

Google fu

site:<domain> -www (find all the websites which finish by <domain> and without www)

site:<domain> filetype:pdf

"research" --> Google will interpret everything in between these quotation marks as exact and only return the results of the exact phrase provided.

Some google dorking :

Term

Action

Example

filetype:

Search for a file by its extension (e.g. PDF)

cache:

View Google's Cached version of a specified URL

intitle:

The specified phrase MUST appear in the title of the page

intitle:index.of

Use LinkedIn, twitter to get username, pictures, badges and so on

Extract employee names from companies using linkedin :

GitHub - m8sec/CrossLinked: LinkedIn enumeration tool to extract valid employee names from an organization through search engine scrapingGitHub

PreviousReconnaissance NextEnumeration

Last updated 4 years ago

Was this helpful?