Information Gathering
Passive reconnaissance
➡️ Physical engagement / Social engineering
Location information like
satellite images
drone recon
building layout (badge readers, security, fencing, etc)
Job information
employees (name, job title, phone number, etc)
pictures (badge photos, desk photos, computer photos, etc)
➡️ Web / Host Assessment
target validation
whois,nslookup,dnsrecon
finding subdomains
Google,
dig,nmap,crt.sh, etc
fingerprinting
nmap,wappalyzer,netcat, etc
data breaches
HaveIBeenPwned, Breach-Parse, WeLeakInfo
Target
❗ Always refer to a Bug Bounty program to find valid targets that can be legally tested
🔗 Bugcrowd
🧪
e.g.- Tesla
Read the program details, follow the terms and stay in scope
Following test will be made on the
*.tesla.comtarget
Discovering email addresses
The goal is discovering public email addresses and check if they really exist
➡️ Hunter.io (free registration) - Find email addresses from any company name or website
➡️ Phonebook.cz (free registration) - Phonebook lists all domains, email addresses, or URLs for the given input domain
➡️ VoilaNorbert
➡️ Clearbit Connect (Chrome extension)
➡️ EmailHippo Email address verifiy - Free email address verification tool
Breached credentials
➡️ HaveIBeenPwned - Check if your email address is in a data breach
➡️ breach-parse - A tool for parsing breached passwords
BreachCompilationpassword list (44GB) file comes from breached password dumps
Credential stuffing and Password spraying can be done using the results.
➡️ DeHashed.com (subscription) - public data search-engine
Hashed passwords or other data can be found
Collect all the data (email, username, IP, address, etc) with the goal to find patterns, that could be related to personal accounts too
Investigation to tie the data to other accounts, etc
Use tools to try to decrypt the hashed password, like Hashes.com, Google, etc
Hunting subdomains
Identify subdomains
➡️ Sublist3r (outdated) - enumerate subdomains of websites using OSINT
➡️ crt.sh - look for registered certificates and find subdomains or sub-subdomains
➡️ amass - in-depth attack surface mapping and asset discovery
➡️ httprobe - take a list of domains and probe for working (alive) http and https servers
➡️ assetfinder - find domains and subdomains related to a given domain
Screenshotting websites
➡️ gowitness - A golang, web screenshot utility using Chrome Headless
Website technologies
➡️ BuiltWith.com - find out what websites are built with
➡️ Wappalyzer.com - via browser extension
by visiting the webpage, interact with the browser extension to check the website technologies
➡️ WhatWeb
Automated recon script
Little
bashscript for sub-domains hunting
➡️ sumrecon - web recon script
TCM's modified final script
Creates a directory structure for reconnaissance under a given URL
Harvests subdomains using
assetfinderFilters valid subdomains and saves them to
final.txtChecks for live domains using
httprobeIdentifies potential subdomain takeovers using
subjackScans for open ports using
nmapScrapes archived URLs from
waybackurlsExtracts parameters from Wayback Machine data
Categorizes JavaScript, PHP, JSON, JSP, and ASPX files from Wayback Machine data
Removes temporary files to keep the structure clean
(Commented out) Could run
amassfor subdomain discovery and useEyeWitnessfor screenshots
Check those additional resources
The Bug Hunter's Methodology - The Bug Hunter's Methodology Full 2-hour Training by Jason Haddix
Using Burpsuite
➡️ Burp Suite
Google Fu
➡️ Google.com
Social Media
Linkedin, Twiter (X) or other public websites can be used for some social media OSINT (Open-Source Intelligence).
Last updated
Was this helpful?
