0Sec
0Sec
0Sec
  • Spider Security
  • offensive security
    • OSCP
      • WriteUps
        • PortSwigger
          • SQL injection labs
          • Exploiting XXE to retrieve data by repurposing a local DTD
        • PentesterLabs
          • Recon
        • HTB
          • BoardLight
          • Lame
        • THM
          • Walkthroughs
            • Attacktive Directory
            • LineKernel
            • Day 1 — Linux PrivEsc
          • CTF
            • Page
            • BLUE
            • mKingdom
            • RazorBlack
      • Module 1 (General Info)
      • Module 2 (Getting Kali)
        • Leason 1 - Booting Up Kali Linux
        • Leason 2 - The Kali Menu
        • Leason 4 - Finding Your Way Around Kali
        • Leason 5 - Managing Kali Linux Services
      • Module 3 (CLI)
        • The Bash Environment
        • Piping and Redirection
        • Text Searching and Manipulation
          • Regular
        • Managing Processes
        • File and Command Monitoring
      • Module 4 (Practical Tools)
        • Netcat
        • Socat
        • PowerShell & Powercat
        • Wireshark
        • Tcpdump
      • Module 5 (Bash Script)
      • Module 6 (Passive Info Gathering)
      • Module 7 ( Active Info Gathering)
      • Module 8 (Vulnerability Scanning)
      • Module 9 (Web Application Attacks)
        • Cross Site Scripting (XSS)
        • local file inclusion & remote file inclusion
          • Exploit LFI
        • SQL injection
          • Blind Boolean based SQL & Evasion Techniques
          • SQL
          • Login bypass List
        • File upload
        • Remote code execution
      • Module 10 ( Intro Buffer OverFlow)
      • Module 11 (Widows Buffer OverFlow)
        • Buffer OverFlow Challange
      • Module 12 (Linux Buffer OverFlows)
      • Module 13 (Clint Side Attacks)
      • Module 14 (Locating Public Exploits)
      • Module 15 (FIxing Exploits)
      • Module 16 (File Transfers)
      • Module 17 (Antivirus Evasion)
        • Windows
      • Module 18 (Privllege Escalation)
        • Windows
          • Checklist
          • THM - Windows PrivEsc Arena
        • Linux
          • Checklist
          • Linux PrivEsc Arena
      • Module 19 (Password Attacks)
      • Module 20 (Port Redirection and Tunneling)
      • Module 21 (Active Directory Attacks)
        • adbasics_v1.2
      • Module 22 (Metasploit Framwork)
      • Module 23 (Powershell Empire)
      • Course Materials
  • SANS
  • AppSec
    • EWAPTX
      • PHP Type Juggling
      • CSP
      • SqlI
        • Information_schema
        • WriteUps
      • SSTI & CSTI
      • XSS_HTML Injection
      • CORS Attack
      • Clickjacking
      • Open redirect
      • JSONP
      • LFI && LFD && RFI
      • HTTP Host header attacks
      • CSRF
      • XML injection
      • XML external entity (XXE) injection
      • APIs & JWT attacks
      • Insecure Deserialization
      • OAUTH 2.0 authentication vulnerabilities
      • Host Header Injection
      • Insecure Direct Object References (IDOR)
  • Reverse Eng & Malware dev
    • Internals
      • Windows internals
        • Topics in GitHub
        • Chapter 1 Concepts and tools
        • Chapter 2. System architecture
        • Chapter 3. Processes and jobs
        • Chapter 4. Threads
        • Chapter 5. Memory management
        • Chapter 6. I/O system
        • Chapter 7. Security
      • Linux internals ⇒ Soon
      • MacOs X internals ⇒ Soon
  • cheat sheet
    • Pentest_Notes
    • Linux BOF & Wireless Attacks
    • WriteUps
Powered by GitBook
On this page
  • Website Recon (1/2)
  • Website Recon (2/2)
  • User Information Gathering
  • theHarvester
  • Serach engines (1/2)
  • Search Operators
  • FOCA (Fingerprinting Organizations with Collected Archives)
  • ✔️ Requisites
  • Whois Enumeration
  • amass & Sublister
  • Open-Source Code (1/2)
  • Shoden & censys.io
  1. offensive security
  2. OSCP

Module 6 (Passive Info Gathering)

PreviousModule 5 (Bash Script)NextModule 7 ( Active Info Gathering)

Last updated 11 months ago

Website Recon (1/2)

  • About Us

  • contact (Emails. Social)

  • Support

  • Careers

  • Login

DON'T REMOVE ANY NOTES!!!

Website Recon (2/2)

  • Partners and thrid parties

    • Mergers and acquisitions , Partenships, thrid parites

    • what type of technologies and systems they use internslly

    • Site

  • Job search sites

    • Linkedin - Indeed - Monster - Careerbuilder - Glassdoor - Simplyhired - DICE - Aglilance

User Information Gathering

  • Employee;s personal information such as:

    • pthone numbers , addresses , CV , opinions, responsibllities, project.

  • theHarvester

  • pipl.com

  • peoplefinders.com

theHarvester

theHarvester is used to gather open source intelligence (OSINT) on a company or domain.

theHarvester -d <domain-name> -b all

Serach engines (1/2)

  • Google Hacking Data Base [GHDB]

  • The common operatros (ANDm OR, +, - , "")

  • [link:www.website.com]

  • [site:www.website.com]

  • [intext:www.website.com]

  • [cache:www.website.com]

  • [filetype:pdf] -filetype:html

Search Operators

Operator
Description
Syntax
Example

()

Group multiple terms or operators. Allows advanced expressions

(<term> or <operator>)

inurl:(html | php)

*

Wildcard. Matches any word

<text> * <text>

How to * a computer

""

The given keyword has to match exactly. case-insensitive

"<keywords>"

"google"

m..n / m...n

Search for a range of numbers. n should be greater than m

<number>..<number>

1..100

-

Documents that match the operator are excluded. NOT-Operator

-<operator>

-site:youtube.com

+

Include documents that match the operator

+<operator>

+site:youtube.com

|

Logical OR-Operator. Only one operator needs to match in order for the overall expression to match

<operator> | <operator>

"google" | "yahoo"

~

Search for synonyms of the given word. Not supported by Google

~<word>

~book

@

Perform a search only on the given social media platform. Rather use site

@<socialmedia>

@instagram

after

Search for documents published / indexed after the given date

after:<yy(-mm-dd)>

after:2020-06-03

allintitle

Same as intitle but allows multiple keywords seperated by a space

allintitle:<keywords>

allintitle:dog cat

allinurl

Same as inurl but allows multiple keywords seperated by a space

allinurl:<keywords>

allinurl:search com

allintext

Same as intext but allows multiple keywords seperated by a space

allintext:<keywords>

allintext:math science university

AROUND

Search for documents in which the first word is up to n words away from the second word and vice versa

<word1> AROUND(<n>) <word2>

google AROUND(10) good

author

Search for articles written by the given author if applicable

author:<name>

author:Max

before

Search for documents published / indexed before the given date

before:<yy(-mm-dd)>

before:2020-06-03

cache

Search on the cached version of the given website. Uses Google's cache to do so

cache:<domain>

cache:google.com

contains

Search for documents that link to the given fileype. Not supported by Google

contains:<filetype>

contains:pdf

date

Search for documents published within the past n months. Not supported by Google

date:<number>

date:3

define

Search for the definition of the given word

define:<word>

define:funny

ext

Search for a specific filetype

ext:<documenttype>

ext:pdf

filetype

Refer to ext

filetype:<documenttype>

filetype:pdf

inanchor

Search for the given keyword in a website's anchors

inanchor:<keyword>

inanchor:security

index of

Search for documents containing direct downloads

index of:<term>

index of:mp4 videos

info

Search for information about a website

info:<domain>

info:google.com

intext

Keyword needs to be in the text of the document

intext:<keyword>

intext:news

intitle

Keyword needs to be in the title of the document

intitle:<keyword>

intitle:money

inurl

Keyword needs to be in the URL of the document

inurl:<keyword>

inurl:sheet

link / links

Search for documents whose links contain the given keyword. Useful for finding documents that link to a specific website

link:<keyword>

link:google

location

Show documents based on the given location

location:<location>

location:USA

numrange

Refer to m..n

numrange:<number>-<number>

numrange:1-100

OR

Refer to |

<operator> OR <operator>

"google" OR "yahoo"

phonebook

Search for related phone numbers associated with the given name

phonebook:<name>

phonebook:"william smith"

relate / related

Search for documents that are related to the given website

relate:<domain>

relate:google.com

safesearch

Exclude adult content such as pornographic videos

safesearch:<keyword>

safesearch:sex

source

Search on a specific news site. Rather use site

source:<news>

source:theguardian

site

Search on the given site. Given argument might also be just a TLD such as com, net, etc

site:<domain>

site:google.com

stock

Search for information about a market stock

stock:<stock>

stock:dax

weather

Search for information about the weather of the given location

weather:<location>

weather:Miami

✔️ Requisites

  • Cached and archival sites

    • archive.org

    • Wayback script

Wayback script
git clone https://github.com/tomnomnom/waybackurls

cd waybackurls

go build main.go

mv main waybackurls

sudo cp waybackurls /usr/local/bin #run waybackurls in any PATH
  • Bing - Yahoo - Ask - Aol - Pandastats.net - Dogpile.com

Whois Enumeration

  • The owner of a domain name

  • IP address or range

  • Technical contacts

  • Expiration data of the domain

For Example

whois <domain name>    

amass & Sublister

  • Classless inter-Domain Routing (CIDR)

    • Ex: 163.144.128.0/24

  • An Autonomous Systen Number (ASN)

    • Regional internet Registeries (RIRs) AFRINIC, aRIN, lACNIC

      • EX: 54115

  • find a List ASN numbers

    • amass intel -org <company name here>

amass intel -org <company name >
curl -s http://ip-api.com/<ip>  | jq -r .as

Subdomian

  • amass enum --active -d <domian >

  • amass enum --passive -d <domain>

  • amass intel -asn <asn number here>

  • amass intel -cidr <0.0.0.0/15>

  • amass intel -whois -d <domian>

OR Using asnmap Fast

  • ASN to CIDR Lookup

  • ORG to CIDR Lookup

  • DNS to CIDR Lookup

  • IP to CIDR Lookup

  • ASN/DNS/IP/ORG input

  • JSON/CSV/TEXT output

  • STD IN/OUT support

Input
ASN
DNS
IP
ORG

Example

AS16509

example.com

Grab

Open-Source Code (1/2)

  • Manual

    • Github

      • "Company" password

      • "Company" secret

      • "Company" cerdentials

      • "Company" tocken

      • "Company" config

      • "Company" key

      • "Company" pass

      • "Company" login

      • "Company" ftp

      • "Company" ssh_auth_password

      • "Company" pwd

      • "Company" security_credentials #LDAB (AD)

      • "Company" connectionstring #Data base

      • "Company" JDBC #Data base

      • "Company" send_key,send_keys

  • Scripts:

    • Gitrob or Gitleaks

Shoden & censys.io

  • any device connected to internet

    • server - router - iot devices

  • Using Dorks

    • hostname: uber.com

(Fingerprinting Organizations with Collected Archives)

Agiliance
FOCA
asnmap
18.238.80.2
Whois Lookup, Domain Availability & IP Search - DomainTools
Hurricane Electric BGP Toolkit
Logo
Logo
FOCA