Information Gathering
Last updated
Was this helpful?
Last updated
Was this helpful?
➡️ Physical engagement / Social engineering
Location information like
satellite images
drone recon
building layout (badge readers, security, fencing, etc)
Job information
employees (name, job title, phone number, etc)
pictures (badge photos, desk photos, computer photos, etc)
➡️ Web / Host Assessment
target validation
whois
, nslookup
, dnsrecon
finding subdomains
Google, dig
, nmap
, crt.sh
, etc
fingerprinting
nmap
, wappalyzer
, netcat
, etc
data breaches
, Breach-Parse, WeLeakInfo
❗ Always refer to a Bug Bounty program to find valid targets that can be legally tested
Read the program details, follow the terms and stay in scope
Following test will be made on the *.tesla.com
target
The goal is discovering public email addresses and check if they really exist
BreachCompilation
password list (44GB) file comes from breached password dumps
Credential stuffing and Password spraying can be done using the results.
Hashed passwords or other data can be found
Collect all the data (email, username, IP, address, etc) with the goal to find patterns, that could be related to personal accounts too
Investigation to tie the data to other accounts, etc
Identify subdomains
by visiting the webpage, interact with the browser extension to check the website technologies
Little bash
script for sub-domains hunting
TCM's modified final script
Creates a directory structure for reconnaissance under a given URL
Harvests subdomains using assetfinder
Filters valid subdomains and saves them to final.txt
Checks for live domains using httprobe
Identifies potential subdomain takeovers using subjack
Scans for open ports using nmap
Scrapes archived URLs from waybackurls
Extracts parameters from Wayback Machine data
Categorizes JavaScript, PHP, JSON, JSP, and ASPX files from Wayback Machine data
Removes temporary files to keep the structure clean
(Commented out) Could run amass
for subdomain discovery and use EyeWitness
for screenshots
Check those additional resources
🔗
🧪 e.g.
-
➡️ (free registration) - Find email addresses from any company name or website
➡️ (free registration) - Phonebook lists all domains, email addresses, or URLs for the given input domain
➡️
➡️ (Chrome extension)
➡️ - Free email address verification tool
➡️
➡️ - Check if your email address is in a data breach
➡️ - A tool for parsing breached passwords
➡️ (subscription) - public data search-engine
Use tools to try to decrypt the hashed password, like , Google, etc
➡️ (outdated) - enumerate subdomains of websites using OSINT
➡️ - look for registered certificates and find subdomains or sub-subdomains
➡️ - in-depth attack surface mapping and asset discovery
➡️ - take a list of domains and probe for working (alive) http and https servers
➡️ - find domains and subdomains related to a given domain
➡️ - A golang, web screenshot utility using Chrome Headless
➡️ - find out what websites are built with
➡️ - via browser extension
➡️
➡️ - web recon script
The Bug Hunter's Methodology -
➡️
➡️
, or other public websites can be used for some social media OSINT (Open-Source Intelligence).