Module 6 (Passive Info Gathering)
Website Recon (1/2)
About Us
contact (Emails. Social)
Support
Careers
Login
DON'T REMOVE ANY NOTES!!!
Website Recon (2/2)
Partners and thrid parties
Mergers and acquisitions , Partenships, thrid parites
what type of technologies and systems they use internslly
Agiliance Site
Job search sites
Linkedin - Indeed - Monster - Careerbuilder - Glassdoor - Simplyhired - DICE - Aglilance
User Information Gathering
Employee;s personal information such as:
pthone numbers , addresses , CV , opinions, responsibllities, project.
theHarvester
pipl.com
peoplefinders.com
theHarvester
theHarvester is used to gather open source intelligence (OSINT) on a company or domain.
Serach engines (1/2)
Google Hacking Data Base [GHDB]
The common operatros (ANDm OR, +, - , "")
[link:www.website.com]
[site:www.website.com]
[intext:www.website.com]
[cache:www.website.com]
[filetype:pdf] -filetype:html
Search Operators
Operator | Description | Syntax | Example |
---|---|---|---|
() | Group multiple terms or operators. Allows advanced expressions | (<term> or <operator>) | inurl:(html | php) |
* | Wildcard. Matches any word | <text> * <text> | How to * a computer |
"" | The given keyword has to match exactly. case-insensitive | "<keywords>" | "google" |
m..n / m...n | Search for a range of numbers. n should be greater than m | <number>..<number> | 1..100 |
- | Documents that match the operator are excluded. NOT-Operator | -<operator> | -site:youtube.com |
+ | Include documents that match the operator | +<operator> | +site:youtube.com |
| | Logical OR-Operator. Only one operator needs to match in order for the overall expression to match | <operator> | <operator> | "google" | "yahoo" |
~ | Search for synonyms of the given word. Not supported by Google | ~<word> | ~book |
@ | Perform a search only on the given social media platform. Rather use site | @<socialmedia> | |
after | Search for documents published / indexed after the given date | after:<yy(-mm-dd)> | after:2020-06-03 |
allintitle | Same as intitle but allows multiple keywords seperated by a space | allintitle:<keywords> | allintitle:dog cat |
allinurl | Same as inurl but allows multiple keywords seperated by a space | allinurl:<keywords> | allinurl:search com |
allintext | Same as intext but allows multiple keywords seperated by a space | allintext:<keywords> | allintext:math science university |
AROUND | Search for documents in which the first word is up to n words away from the second word and vice versa | <word1> AROUND(<n>) <word2> | google AROUND(10) good |
author | Search for articles written by the given author if applicable | author:<name> | author:Max |
before | Search for documents published / indexed before the given date | before:<yy(-mm-dd)> | before:2020-06-03 |
cache | Search on the cached version of the given website. Uses Google's cache to do so | cache:<domain> | cache:google.com |
contains | Search for documents that link to the given fileype. Not supported by Google | contains:<filetype> | contains:pdf |
date | Search for documents published within the past n months. Not supported by Google | date:<number> | date:3 |
define | Search for the definition of the given word | define:<word> | define:funny |
ext | Search for a specific filetype | ext:<documenttype> | ext:pdf |
filetype | Refer to ext | filetype:<documenttype> | filetype:pdf |
inanchor | Search for the given keyword in a website's anchors | inanchor:<keyword> | inanchor:security |
index of | Search for documents containing direct downloads | index of:<term> | index of:mp4 videos |
info | Search for information about a website | info:<domain> | info:google.com |
intext | Keyword needs to be in the text of the document | intext:<keyword> | intext:news |
intitle | Keyword needs to be in the title of the document | intitle:<keyword> | intitle:money |
inurl | Keyword needs to be in the URL of the document | inurl:<keyword> | inurl:sheet |
link / links | Search for documents whose links contain the given keyword. Useful for finding documents that link to a specific website | link:<keyword> | link:google |
location | Show documents based on the given location | location:<location> | location:USA |
numrange | Refer to m..n | numrange:<number>-<number> | numrange:1-100 |
OR | Refer to | | <operator> OR <operator> | "google" OR "yahoo" |
phonebook | Search for related phone numbers associated with the given name | phonebook:<name> | phonebook:"william smith" |
relate / related | Search for documents that are related to the given website | relate:<domain> | relate:google.com |
safesearch | Exclude adult content such as pornographic videos | safesearch:<keyword> | safesearch:sex |
source | Search on a specific news site. Rather use site | source:<news> | source:theguardian |
site | Search on the given site. Given argument might also be just a TLD such as com, net, etc | site:<domain> | site:google.com |
stock | Search for information about a market stock | stock:<stock> | stock:dax |
weather | Search for information about the weather of the given location | weather:<location> | weather:Miami |
FOCA (Fingerprinting Organizations with Collected Archives)
✔️ Requisites
Cached and archival sites
archive.org
Wayback script
Bing - Yahoo - Ask - Aol - Pandastats.net - Dogpile.com
Whois Enumeration
The owner of a domain name
IP address or range
Technical contacts
Expiration data of the domain
For Example
amass & Sublister
Classless inter-Domain Routing (CIDR)
Ex: 163.144.128.0/24
An Autonomous Systen Number (ASN)
Regional internet Registeries (RIRs) AFRINIC, aRIN, lACNIC
EX: 54115
find a List ASN numbers
amass intel -org <company name here>
Subdomian
amass enum --active -d <domian >
amass enum --passive -d <domain>
amass intel -asn <asn number here>
amass intel -cidr <0.0.0.0/15>
amass intel -whois -d <domian>
OR Using asnmap Fast
ASN to CIDR Lookup
ORG to CIDR Lookup
DNS to CIDR Lookup
IP to CIDR Lookup
ASN/DNS/IP/ORG input
JSON/CSV/TEXT output
STD IN/OUT support
Input | ASN | DNS | IP | ORG |
---|---|---|---|---|
Example |
|
|
|
Open-Source Code (1/2)
Manual
Github
"Company" password
"Company" secret
"Company" cerdentials
"Company" tocken
"Company" config
"Company" key
"Company" pass
"Company" login
"Company" ftp
"Company" ssh_auth_password
"Company" pwd
"Company" security_credentials #LDAB (AD)
"Company" connectionstring #Data base
"Company" JDBC #Data base
"Company" send_key,send_keys
Scripts:
Gitrob or Gitleaks
Shoden & censys.io
any device connected to internet
server - router - iot devices
Using Dorks
hostname: uber.com
Last updated