# Module 6 (Passive Info Gathering) ### Website Recon (1/2) * About Us * contact (Emails. Social) * Support * Careers * Login {% hint style="danger" %} **DON'T REMOVE ANY NOTES!!!** {% endhint %} ### Website Recon (2/2) * **Partners and thrid parties** * Mergers and acquisitions , Partenships, thrid parites * what type of technologies and systems they use internslly * [Agiliance](https://www.crunchbase.com/home) Site * **Job search sites** * Linkedin - Indeed - Monster - Careerbuilder - Glassdoor - Simplyhired - DICE - Aglilance ## User Information Gathering * Employee;s personal information such as: * pthone numbers , addresses , CV , opinions, responsibllities, project. * theHarvester * pipl.com * peoplefinders.com ### theHarvester theHarvester is used to gather open source intelligence (OSINT) on a company or domain. ```bash theHarvester -d -b all ``` *** ### Serach engines (1/2) * Google Hacking Data Base \[GHDB] * The common operatros (ANDm OR, +, - , "") * \[link:[www.website.com](http://www.website.com)] * \[site:[www.website.com](http://www.website.com)] * \[intext:[www.website.com](http://www.website.com)] * \[cache:[www.website.com](http://www.website.com)] * \[filetype:pdf] -filetype:html ### Search Operators | Operator | Description | Syntax | Example | | ---------------- | ------------------------------------------------------------------------------------------------------------------------ | ------------------------------ | --------------------------------- | | () | Group multiple terms or operators. Allows advanced expressions | (\ or \) | inurl:(html \| php) | | \* | Wildcard. Matches any word | \ \* \ | How to \* a computer | | "" | The given keyword has to match exactly. *case-insensitive* | "\" | "google" | | m..n / m...n | Search for a range of numbers. *n* should be greater than *m* | \..\ | 1..100 | | - | Documents that match the operator are excluded. *NOT*-Operator | -\ | -site:youtube.com | | + | Include documents that match the operator | +\ | +site:youtube.com | | \| | Logical *OR-Operator*. Only one operator needs to match in order for the overall expression to match | \ \| \ | "google" \| "yahoo" | | \~ | Search for synonyms of the given word. Not supported by Google | \~\ | \~book | | @ | Perform a search only on the given social media platform. Rather use **site** | @\ | @instagram | | after | Search for documents published / indexed after the given date | after:\ | after:2020-06-03 | | allintitle | Same as **intitle** but allows multiple keywords seperated by a space | allintitle:\ | allintitle:dog cat | | allinurl | Same as **inurl** but allows multiple keywords seperated by a space | allinurl:\ | allinurl:search com | | allintext | Same as **intext** but allows multiple keywords seperated by a space | allintext:\ | allintext:math science university | | AROUND | Search for documents in which the first word is up to *n* words away from the second word and vice versa | \ AROUND(\) \ | google AROUND(10) good | | author | Search for articles written by the given author if applicable | author:\ | author:Max | | before | Search for documents published / indexed before the given date | before:\ | before:2020-06-03 | | cache | Search on the cached version of the given website. Uses Google's cache to do so | cache:\ | cache:google.com | | contains | Search for documents that link to the given fileype. Not supported by Google | contains:\ | contains:pdf | | date | Search for documents published within the past *n* months. Not supported by Google | date:\ | date:3 | | define | Search for the definition of the given word | define:\ | define:funny | | ext | Search for a specific filetype | ext:\ | ext:pdf | | filetype | Refer to **ext** | filetype:\ | filetype:pdf | | inanchor | Search for the given keyword in a website's anchors | inanchor:\ | inanchor:security | | index of | Search for documents containing direct downloads | index of:\ | index of:mp4 videos | | info | Search for information about a website | info:\ | info:google.com | | intext | Keyword needs to be in the text of the document | intext:\ | intext:news | | intitle | Keyword needs to be in the title of the document | intitle:\ | intitle:money | | inurl | Keyword needs to be in the URL of the document | inurl:\ | inurl:sheet | | link / links | Search for documents whose links contain the given keyword. Useful for finding documents that link to a specific website | link:\ | link:google | | location | Show documents based on the given location | location:\ | location:USA | | numrange | Refer to **m..n** | numrange:\-\ | numrange:1-100 | | OR | Refer to **\|** | \ OR \ | "google" OR "yahoo" | | phonebook | Search for related phone numbers associated with the given name | phonebook:\ | phonebook:"william smith" | | relate / related | Search for documents that are related to the given website | relate:\ | relate:google.com | | safesearch | Exclude adult content such as pornographic videos | safesearch:\ | safesearch:sex | | source | Search on a specific news site. Rather use **site** | source:\ | source:theguardian | | site | Search on the given site. Given argument might also be just a TLD such as **com, net**, etc | site:\ | site:google.com | | stock | Search for information about a market stock | stock:\ | stock:dax | | weather | Search for information about the weather of the given location | weather:\ | weather:Miami |
## [FOCA](https://github.com/ElevenPaths/FOCA?tab=readme-ov-file) (Fingerprinting Organizations with Collected Archives)

### ✔️ Requisites

* **Cached and archival sites** * archive.org * Wayback script {% code title="Wayback script" overflow="wrap" %} ```bash git clone https://github.com/tomnomnom/waybackurls cd waybackurls go build main.go mv main waybackurls sudo cp waybackurls /usr/local/bin #run waybackurls in any PATH ``` {% endcode %} * **Bing - Yahoo - Ask - Aol - Pandastats.net - Dogpile.com** ## Whois Enumeration * The owner of a domain name * IP address or range * Technical contacts * Expiration data of the domain

**For Example** {% embed url="" %}

``` whois ``` ### amass & Sublister

* Classless inter-Domain Routing (CIDR) * Ex: 163.144.128.0/24 * An Autonomous Systen Number (ASN) * Regional internet Registeries (RIRs) AFRINIC, aRIN, lACNIC * EX: 54115 * find a List ASN numbers * amass intel -org \ ```bash amass intel -org ``` {% embed url="" %} ```bash curl -s http://ip-api.com/ | jq -r .as ```

**Subdomian** * amass enum --active -d \ * amass enum --passive -d \ * amass intel -asn \ * amass intel -cidr <0.0.0.0/15> * amass intel -whois -d \ OR Using asnmap Fast [**asnmap**](https://github.com/projectdiscovery/asnmap)

* **ASN to CIDR** Lookup * **ORG to CIDR** Lookup * **DNS to CIDR** Lookup * **IP to CIDR** Lookup * **ASN/DNS/IP/ORG** input * **JSON/CSV/TEXT** output * STD **IN/OUT** support

Input	ASN	DNS	IP	ORG
Example	`AS16509`	`example.com`	18.238.80.2	`Grab`

### Open-Source Code (1/2) * Manual * Github * "Company" password * "Company" secret * "Company" cerdentials * "Company" tocken * "Company" config * "Company" key * "Company" pass * "Company" login * "Company" ftp * "Company" ssh\_auth\_password * "Company" pwd * "Company" security\_credentials #LDAB (AD) * "Company" connectionstring #Data base * "Company" JDBC #Data base * "Company" send\_key,send\_keys * **Scripts**: * Gitrob or Gitleaks ### Shoden & censys.io * any device connected to internet * server - router - iot devices * Using Dorks * hostname: uber.com