Information Gathering

Passive reconnaissance

➡️ Physical engagement / Social engineering

• Location information like

  • satellite images

  • drone recon

  • building layout (badge readers, security, fencing, etc)

• Job information

  • employees (name, job title, phone number, etc)

  • pictures (badge photos, desk photos, computer photos, etc)

➡️ Web / Host Assessment

• target validation

  • whois, nslookup, dnsrecon

• finding subdomains

  • Google, dig, nmap, crt.sh, etc

• fingerprinting

  • nmap, wappalyzer, netcat, etc

• data breaches

  • HaveIBeenPwned, Breach-Parse, WeLeakInfo

Target

❗ Always refer to a Bug Bounty program to find valid targets that can be legally tested

🔗 Bugcrowd

• 🧪 e.g. - Tesla

• Read the program details, follow the terms and stay in scope

• Following test will be made on the *.tesla.com target

Discovering email addresses

• The goal is discovering public email addresses and check if they really exist

➡️ Hunter.io (free registration) - Find email addresses from any company name or website

➡️ Phonebook.cz (free registration) - Phonebook lists all domains, email addresses, or URLs for the given input domain

➡️ VoilaNorbert

➡️ Clearbit Connect (Chrome extension)

➡️ EmailHippo Email address verifiy - Free email address verification tool

➡️ Email-checker

Breached credentials

➡️ HaveIBeenPwned - Check if your email address is in a data breach

➡️ breach-parse - A tool for parsing breached passwords

• BreachCompilation password list (44GB) file comes from breached password dumps

breach-parse @tesla.com tesla.txt "~/Downloads/BreachCompilation/data"

Credential stuffing and Password spraying can be done using the results.

➡️ DeHashed.com (subscription) - public data search-engine

• Hashed passwords or other data can be found

• Collect all the data (email, username, IP, address, etc) with the goal to find patterns, that could be related to personal accounts too

• Investigation to tie the data to other accounts, etc

• Use tools to try to decrypt the hashed password, like Hashes.com, Google, etc

Hunting subdomains

Identify subdomains

➡️ Sublist3r (outdated) - enumerate subdomains of websites using OSINT

sudo apt install sublist3r

sublist3r -d tesla.com

sublist3r -d tesla.com -t 100 -v

➡️ crt.sh - look for registered certificates and find subdomains or sub-subdomains

➡️ amass - in-depth attack surface mapping and asset discovery

sudo apt install amass

amass enum -d tesla.com

amass enum -d syselement.com

➡️ httprobe - take a list of domains and probe for working (alive) http and https servers

Website technologies

➡️ BuiltWith.com - find out what websites are built with

➡️ Wappalyzer.com - via browser extension

• by visiting the webpage, interact with the browser extension to check the website technologies

➡️ WhatWeb

whatweb https://blog.syselement.com/

Using Burpsuite

➡️ Burp Suite

Google Fu

➡️ Google.com

• Google Search Syntax

• Google Search Operators: The Complete List (44 Advanced Operators)

site:tesla.com filetype:pdf

Social Media

• Linkedin, Twiter (X) or other public websites can be used for some social media OSINT (Open-Source Intelligence).