Passive Reconnaissance

Scope of Work Examples

https://bugcrowd.com/

Location Information

  • Satellite Images

  • Drone recon

  • Building Layout (Badge readers, Break areas, Security, Fence)

Job Information

  • Employees (Name, Job title, Phone, Manager, ...)

  • Pictures (Badge photos, Desk photos, Computer photos, ...)

Web / Host

Target Validation

  • WHOIS

  • nslookup

  • DNSRecon

Find Subdomains

  • Google Fu

  • Dig

  • Nmap

  • Sublist3r

  • Bluto

  • crt.sh

Fingerprinting

  • Nmap

  • Wappalyzer

  • WhatWen

  • BuiltWith

  • Netcat

Data Breach

  • HaveIBeenPwned

  • Breach-Parse

  • WeLeakInfo

Email Gathering

Use https://hunter.io/search to gather a list of valid users, as well as the pattern! For example:

{first}@example.com {first}.{last}@example.com

This step is very useful for creating a user list for password spraying.

Gather Breached Passwords

Breach Parse

./breach-parse.sh @<domain> <output_file>

TheHarvaster

The objective of this program is to gather emails, subdomains, hosts, employee names, open ports and banners from different public sources like search engines, PGP key servers and SHODAN computer database.

This tool is intended to help Penetration testers in the early stages of the penetration test in order to understand the customer footprint on the Internet. It is also useful for anyone that wants to know what an attacker can see about their organization.

This is a complete rewrite of the tool with new features like:

  • Time delays between request

  • All sources search

  • Virtual host verifier

  • Active enumeration (DNS enumeration, Reverse lookups, TLD expansion)

  • Integration with SHODAN computer database, to get the open ports and banners

  • Save to XML and HTML

  • Basic graph with stats

  • New sources

usage: theHarvester [-h] -d DOMAIN [-l LIMIT] [-S START] [-g] [-p] [-s] [-v]
                    [-e DNS_SERVER] [-t DNS_TLD] [-n] [-c] [-f FILENAME]
                    [-b SOURCE]

theHarvester is used to gather open source intelligence (OSINT) on a company
or domain.

optional arguments:
  -h, --help            show this help message and exit
  -d DOMAIN, --domain DOMAIN
                        company name or domain to search
  -l LIMIT, --limit LIMIT
                        limit the number of search results, default=500
  -S START, --start START
                        start with result number X, default=0
  -g, --google-dork     use Google Dorks for Google search
  -p, --port-scan       scan the detected hosts and check for Takeovers
                        (21,22,80,443,8080)
  -s, --shodan          use Shodan to query discovered hosts
  -v, --virtual-host    verify host name via DNS resolution and search for
                        virtual hosts
  -e DNS_SERVER, --dns-server DNS_SERVER
                        DNS server to use for lookup
  -t DNS_TLD, --dns-tld DNS_TLD
                        perform a DNS TLD expansion discovery, default False
  -n, --dns-lookup      enable DNS server lookup, default False
  -c, --dns-brute       perform a DNS brute force on the domain
  -f FILENAME, --filename FILENAME
                        save the results to an HTML and/or XML file
  -b SOURCE, --source SOURCE
                        baidu, bing, bingapi, certspotter, crtsh, dnsdumpster,
                        dogpile, duckduckgo, github-code, google, hunter,
                        intelx, linkedin, linkedin_links, netcraft, otx,
                        securityTrails, spyse(disabled for now), threatcrowd,
                        trello, twitter, vhost, virustotal, yahoo, all

Hunting Subdomains

Sublist3r

To install:

apt install sublist3r

Usage:

sublist3r -d <domain>

crt.sh

Search for %.<domain>

OWASP Amass

The OWASP Amass Project has developed a tool to help information security professionals perform network mapping of attack surfaces and perform external asset discovery using open source information gathering and active reconnaissance techniques. The gathering technique used:

  • DNS: Basic enumeration, Brute forcing (optional), Reverse DNS sweeping, Subdomain name alterations/permutations, Zone transfers (optional)

  • Scraping: Ask, Baidu, Bing, DNSDumpster, DNSTable, Dogpile, Exalead, Google, HackerOne, IPv4Info, Netcraft, PTRArchive, Riddler, SiteDossier, ViewDNS, Yahoo

  • Certificates: Active pulls (optional), Censys, CertSpotter, Crtsh, Entrust, GoogleCT

  • APIs: AlienVault, BinaryEdge, BufferOver, CIRCL, CommonCrawl, DNSDB, GitHub, HackerTarget, IPToASN, Mnemonic, NetworksDB, PassiveTotal, Pastebin, RADb, Robtex, SecurityTrails, ShadowServer, Shodan, Spyse (CertDB & FindSubdomains), Sublist3rAPI, TeamCymru, ThreatCrowd, Twitter, Umbrella, URLScan, VirusTotal, WhoisXML

  • Web Archives: ArchiveIt, ArchiveToday, Arquivo, LoCArchive, OpenUKArchive, UKGovArchive, Wayback

Tomnomnom Httpprobe

  • Use this to probe a list of domains

Find Websites' Technology

Builtwith

Wappalyzer

Install as a browser add-on to display the technologies on the current web

WhatWeb

whatweb <website>

Burp Suite

Proxy, Intercept, and inspect the response

PreviousMisc Powershell PlaygroundNextActive Reconnaissance

Last updated