Information Gathering

Passive reconnaissance

➡️ Physical engagement / Social engineering

• Location information like

  • satellite images

  • drone recon

  • building layout (badge readers, security, fencing, etc)

• Job information

  • employees (name, job title, phone number, etc)

  • pictures (badge photos, desk photos, computer photos, etc)

➡️ Web / Host Assessment

• target validation

  • whois, nslookup, dnsrecon

• finding subdomains

  • Google, dig, nmap, crt.sh, etc

• fingerprinting

  • nmap, wappalyzer, netcat, etc

• data breaches

  • HaveIBeenPwned, Breach-Parse, WeLeakInfo

Target

❗ Always refer to a Bug Bounty program to find valid targets that can be legally tested

🔗 Bugcrowd

• 🧪 e.g. - Tesla

• Read the program details, follow the terms and stay in scope

• Following test will be made on the *.tesla.com target

Discovering email addresses

• The goal is discovering public email addresses and check if they really exist

➡️ Hunter.io (free registration) - Find email addresses from any company name or website

➡️ Phonebook.cz (free registration) - Phonebook lists all domains, email addresses, or URLs for the given input domain

➡️ VoilaNorbert

➡️ Clearbit Connect (Chrome extension)

➡️ EmailHippo Email address verifiy - Free email address verification tool

➡️ Email-checker

Breached credentials

➡️ HaveIBeenPwned - Check if your email address is in a data breach

➡️ breach-parse - A tool for parsing breached passwords

• BreachCompilation password list (44GB) file comes from breached password dumps

Credential stuffing and Password spraying can be done using the results.

➡️ DeHashed.com (subscription) - public data search-engine

• Hashed passwords or other data can be found

• Collect all the data (email, username, IP, address, etc) with the goal to find patterns, that could be related to personal accounts too

• Investigation to tie the data to other accounts, etc

• Use tools to try to decrypt the hashed password, like Hashes.com, Google, etc

Hunting subdomains

Identify subdomains

➡️ Sublist3r (outdated) - enumerate subdomains of websites using OSINT

➡️ crt.sh - look for registered certificates and find subdomains or sub-subdomains

➡️ amass - in-depth attack surface mapping and asset discovery

➡️ httprobe - take a list of domains and probe for working (alive) http and https servers

➡️ assetfinder - find domains and subdomains related to a given domain

Screenshotting websites

➡️ gowitness - A golang, web screenshot utility using Chrome Headless

Website technologies

➡️ BuiltWith.com - find out what websites are built with

➡️ Wappalyzer.com - via browser extension

• by visiting the webpage, interact with the browser extension to check the website technologies

➡️ WhatWeb

Automated recon script

• Little bash script for sub-domains hunting

➡️ sumrecon - web recon script

• TCM's modified final script

  • Creates a directory structure for reconnaissance under a given URL

  • Harvests subdomains using assetfinder

  • Filters valid subdomains and saves them to final.txt

  • Checks for live domains using httprobe

  • Identifies potential subdomain takeovers using subjack

  • Scans for open ports using nmap

  • Scrapes archived URLs from waybackurls

  • Extracts parameters from Wayback Machine data

  • Categorizes JavaScript, PHP, JSON, JSP, and ASPX files from Wayback Machine data

  • Removes temporary files to keep the structure clean

  • (Commented out) Could run amass for subdomain discovery and use EyeWitness for screenshots

• Check those additional resources

  • The Bug Hunter's Methodology - The Bug Hunter's Methodology Full 2-hour Training by Jason Haddix

  • Nahamsec Recon Playlist

Using Burpsuite

➡️ Burp Suite

Google Fu

➡️ Google.com

• Google Search Syntax

• Google Search Operators: The Complete List (44 Advanced Operators)

Social Media

• Linkedin, Twiter (X) or other public websites can be used for some social media OSINT (Open-Source Intelligence).