# Information Gathering ## Passive reconnaissance ➡️ **Physical** engagement / **Social** engineering * **Location** information like * satellite images * drone recon * building layout (badge readers, security, fencing, etc) * **Job** information * employees (name, job title, phone number, etc) * pictures (badge photos, desk photos, computer photos, etc) ➡️ Web / Host Assessment * target validation * `whois`, `nslookup`, `dnsrecon` * finding subdomains * Google, `dig`, `nmap`, `crt.sh`, etc * fingerprinting * `nmap`, `wappalyzer`, `netcat`, etc * data breaches * [HaveIBeenPwned](https://haveibeenpwned.com/), Breach-Parse, WeLeakInfo ### Target > ❗ Always refer to a Bug Bounty program to find valid targets that can be legally tested > > 🔗 [Bugcrowd](https://bugcrowd.com/engagements) > > * 🧪 `e.g.` - [Tesla](https://bugcrowd.com/tesla) * Read the **program details**, follow the terms and stay in scope * Following test will be made on the `*.tesla.com` target *** ## Discovering email addresses * The goal is discovering public email addresses and check if they really exist ➡️ [Hunter.io](https://hunter.io/domain-search) (free registration) - Find email addresses from any company name or website ![Hunter.io](/files/tfW56715rnsZqje8JMio) ➡️ [Phonebook.cz](https://phonebook.cz/) (free registration) - Phonebook lists all domains, email addresses, or URLs for the given input domain ➡️ [VoilaNorbert](https://www.voilanorbert.com/) ➡️ [Clearbit Connect](https://clearbit.com/resources/tools/connect) (Chrome extension) ➡️ [EmailHippo Email address verifiy](https://tools.emailhippo.com/) - Free email address verification tool ➡️ [Email-checker](https://email-checker.net/) *** ## Breached credentials ➡️ [HaveIBeenPwned](https://haveibeenpwned.com/) - Check if your email address is in a data breach ➡️ [breach-parse](https://github.com/hmaverickadams/breach-parse) - A tool for parsing breached passwords * `BreachCompilation` password list (44GB) file comes from breached password dumps ```bash breach-parse @tesla.com tesla.txt "~/Downloads/BreachCompilation/data" ``` **Credential stuffing** and **Password spraying** can be done using the results. ➡️ [DeHashed.com](https://dehashed.com/) (subscription) - public data search-engine * Hashed passwords or other data can be found * Collect all the data (email, username, IP, address, etc) with the goal to find patterns, that could be related to personal accounts too * Investigation to tie the data to other accounts, etc * Use tools to try to decrypt the hashed password, like [Hashes.com](https://hashes.com/en/decrypt/hash), Google, etc ![DeHashed.com](/files/1CjDFILv8YA4jBiVyJdU) *** ## Hunting subdomains Identify subdomains ➡️ [Sublist3r](https://github.com/aboul3la/Sublist3r) (outdated) - enumerate subdomains of websites using OSINT ```bash sudo apt install sublist3r ``` ```bash sublist3r -d tesla.com sublist3r -d tesla.com -t 100 -v ``` ➡️ [crt.sh](https://crt.sh/) - look for registered certificates and find subdomains or sub-subdomains ![crt.sh](/files/x6DkOZV6wFghtQ1GCa8L) ➡️ [amass](https://github.com/owasp-amass/amass) - in-depth attack surface mapping and asset discovery ```bash sudo apt install amass ``` ```bash amass enum -d tesla.com amass enum -d syselement.com ``` ![amass enum -d tesla.com](/files/BtJ50Urflw59AeJa4dK7) ![amass enum -d syselement.com](/files/Bgk0rhd6v1E8NPTc9zup) ➡️ [httprobe](https://github.com/tomnomnom/httprobe) - take a list of domains and probe for working (alive) http and https servers ```bash # Go is necessary (installed via pimpmykali.sh) go install github.com/tomnomnom/httprobe@latest # or on Kali sudo apt install httprobe ``` ```bash cat tesla.com/recon/final.txt | httprobe # Skip default probes, and use only https:443 probe cat tesla.com/recon/final.txt | httprobe -s -p https:443 # Strip only subdomains from the list cat tesla.com/recon/final.txt | sort -u | httprobe -s -p https:443 | sed 's/https\?:\/\///' | tr -d ':443' ``` ➡️ [assetfinder](https://github.com/tomnomnom/assetfinder) - find domains and subdomains related to a given domain ```bash # Go is necessary (installed via pimpmykali.sh) go get -u github.com/tomnomnom/assetfinder # or on Kali sudo apt install assetfinder ``` ```bash assetfinder syselement.com assetfinder --subs-only tesla.com ``` *** ## Screenshotting websites ➡️ [gowitness](https://github.com/sensepost/gowitness) - A golang, web screenshot utility using Chrome Headless ```bash # Go is necessary (installed via pimpmykali.sh) go install github.com/sensepost/gowitness@latest # or on Kali sudo apt install gowitness ``` ```bash gowitness scan single --url "https://tesla.com" --write-db gowitness scan single --url "https://blog.syselement.com" ``` *** ## Website technologies ➡️ [BuiltWith.com](https://builtwith.com/) - find out what websites are built with ![BuiltWith.com](/files/MVJXUQIQOi0G5as0BJcx) ➡️ [Wappalyzer.com](https://www.wappalyzer.com/) - via browser extension * by visiting the webpage, interact with the browser extension to check the website technologies ![](/files/tLY600OgBxCfCbfPgl1I) ➡️ [WhatWeb](https://github.com/urbanadventurer/WhatWeb/) ```bash whatweb https://blog.syselement.com/ ``` ![](/files/BlLacqZm15VG1BNMAs92) *** ## Automated recon script * Little `bash` script for sub-domains hunting ```bash #!/bin/bash url=$1 if [ ! -d "$url" ]; then mkdir $url fi if [ ! -d "$url/recon" ]; then mkdir $url/recon fi # Assetfinder # echo "[+] Harvesting subdomains with assetfinder..." assetfinder $url >> $url/recon/assets.txt # get only subdomains containing $url cat $url/recon/assets.txt | grep $1 >> $url/recon/final.txt rm $url/recon/assets.txt # Amass # # echo "[+] Harvesting subdomains with amass..." # amass enum -d $url >> $url/recon/f.txt # sort -u $url/recon/f.txt >> $url/recon/final.txt # rm $url/recon/f.txt # httprobe # echo "[+] Probing for alive domains..." cat $url/recon/final.txt | sort -u | httprobe -s -p https:443 | sed 's/https\?:\/\///' | tr -d ':443' >> $url/recon/alive.txt ### ``` ➡️ [sumrecon](https://github.com/Gr1mmie/sumrecon/blob/master/sumrecon.sh) - web recon script ```bash wget https://raw.githubusercontent.com/Gr1mmie/sumrecon/refs/heads/master/sumrecon.sh ``` * TCM's modified final script * **Creates a directory structure** for reconnaissance under a given URL * **Harvests subdomains** using `assetfinder` * **Filters valid subdomains** and saves them to `final.txt` * **Checks for live domains** using `httprobe` * **Identifies potential subdomain takeovers** using `subjack` * **Scans for open ports** using `nmap` * **Scrapes archived URLs** from `waybackurls` * **Extracts parameters** from Wayback Machine data * **Categorizes JavaScript, PHP, JSON, JSP, and ASPX files** from Wayback Machine data * **Removes temporary files** to keep the structure clean * (Commented out) **Could run `amass` for subdomain discovery** and **use `EyeWitness` for screenshots** ```bash # 0. Requirements sudo apt install amass assetfinder httprobe gowitness nmap subjack go install github.com/tomnomnom/waybackurls@latest # 1. Copy the code here https://pastebin.com/raw/MhE6zXVt to a new file # 2. Fix last 2 lines with gowitness and uncomment them # echo "[+] Running eyewitness against all compiled domains..." # gowitness scan file -f $url/recon/httprobe/alive.txt chmod +x finalrecon.sh ./finalrecon.sh syselement.com ``` > * Check those additional resources > * The Bug Hunter's Methodology - [The Bug Hunter's Methodology Full 2-hour Training by Jason Haddix](https://www.youtube.com/watch?v=uKWu6yhnhbQ) > * [Nahamsec Recon Playlist](https://www.youtube.com/watch?v=MIujSpuDtFY\&list=PLKAaMVNxvLmAkqBkzFaOxqs3L66z2n8LA) *** ## Using Burpsuite ➡️ [Burp Suite](https://portswigger.net/burp/communitydownload) ![](/files/5bMZJkfoE0LAmjKEnbWK) *** ## Google Fu ➡️ [Google.com](https://www.google.com/) * [Google Search Syntax](https://www.google.com/search?client=firefox-b-e\&q=google+search+syntax) * [Google Search Operators: The Complete List (44 Advanced Operators)](https://ahrefs.com/blog/google-advanced-search-operators/) ```bash site:tesla.com filetype:pdf ``` *** ## Social Media * [Linkedin](https://www.linkedin.com/), [Twiter (X)](https://x.com/) or other public websites can be used for some social media OSINT (Open-Source Intelligence). *** --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://blog.syselement.com/tcm/courses/peh/3-eth-hack/recon.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.