Module 6 (Passive Info Gathering)
Website Recon (1/2)
About Us
contact (Emails. Social)
Support
Careers
Login
DON'T REMOVE ANY NOTES!!!
Website Recon (2/2)
Partners and thrid parties
Mergers and acquisitions , Partenships, thrid parites
what type of technologies and systems they use internslly
Agiliance Site
Job search sites
Linkedin - Indeed - Monster - Careerbuilder - Glassdoor - Simplyhired - DICE - Aglilance
User Information Gathering
Employee;s personal information such as:
pthone numbers , addresses , CV , opinions, responsibllities, project.
theHarvester
pipl.com
peoplefinders.com
theHarvester
theHarvester is used to gather open source intelligence (OSINT) on a company or domain.
Serach engines (1/2)
Google Hacking Data Base [GHDB]
The common operatros (ANDm OR, +, - , "")
[link:www.website.com]
[site:www.website.com]
[intext:www.website.com]
[cache:www.website.com]
[filetype:pdf] -filetype:html
Search Operators
()
Group multiple terms or operators. Allows advanced expressions
(<term> or <operator>)
inurl:(html | php)
*
Wildcard. Matches any word
<text> * <text>
How to * a computer
""
The given keyword has to match exactly. case-insensitive
"<keywords>"
"google"
m..n / m...n
Search for a range of numbers. n should be greater than m
<number>..<number>
1..100
-
Documents that match the operator are excluded. NOT-Operator
-<operator>
-site:youtube.com
+
Include documents that match the operator
+<operator>
+site:youtube.com
|
Logical OR-Operator. Only one operator needs to match in order for the overall expression to match
<operator> | <operator>
"google" | "yahoo"
~
Search for synonyms of the given word. Not supported by Google
~<word>
~book
@
Perform a search only on the given social media platform. Rather use site
@<socialmedia>
after
Search for documents published / indexed after the given date
after:<yy(-mm-dd)>
after:2020-06-03
allintitle
Same as intitle but allows multiple keywords seperated by a space
allintitle:<keywords>
allintitle:dog cat
allinurl
Same as inurl but allows multiple keywords seperated by a space
allinurl:<keywords>
allinurl:search com
allintext
Same as intext but allows multiple keywords seperated by a space
allintext:<keywords>
allintext:math science university
AROUND
Search for documents in which the first word is up to n words away from the second word and vice versa
<word1> AROUND(<n>) <word2>
google AROUND(10) good
author
Search for articles written by the given author if applicable
author:<name>
author:Max
before
Search for documents published / indexed before the given date
before:<yy(-mm-dd)>
before:2020-06-03
cache
Search on the cached version of the given website. Uses Google's cache to do so
cache:<domain>
cache:google.com
contains
Search for documents that link to the given fileype. Not supported by Google
contains:<filetype>
contains:pdf
date
Search for documents published within the past n months. Not supported by Google
date:<number>
date:3
define
Search for the definition of the given word
define:<word>
define:funny
ext
Search for a specific filetype
ext:<documenttype>
ext:pdf
filetype
Refer to ext
filetype:<documenttype>
filetype:pdf
inanchor
Search for the given keyword in a website's anchors
inanchor:<keyword>
inanchor:security
index of
Search for documents containing direct downloads
index of:<term>
index of:mp4 videos
info
Search for information about a website
info:<domain>
info:google.com
intext
Keyword needs to be in the text of the document
intext:<keyword>
intext:news
intitle
Keyword needs to be in the title of the document
intitle:<keyword>
intitle:money
inurl
Keyword needs to be in the URL of the document
inurl:<keyword>
inurl:sheet
link / links
Search for documents whose links contain the given keyword. Useful for finding documents that link to a specific website
link:<keyword>
link:google
location
Show documents based on the given location
location:<location>
location:USA
numrange
Refer to m..n
numrange:<number>-<number>
numrange:1-100
OR
Refer to |
<operator> OR <operator>
"google" OR "yahoo"
phonebook
Search for related phone numbers associated with the given name
phonebook:<name>
phonebook:"william smith"
relate / related
Search for documents that are related to the given website
relate:<domain>
relate:google.com
safesearch
Exclude adult content such as pornographic videos
safesearch:<keyword>
safesearch:sex
source
Search on a specific news site. Rather use site
source:<news>
source:theguardian
site
Search on the given site. Given argument might also be just a TLD such as com, net, etc
site:<domain>
site:google.com
stock
Search for information about a market stock
stock:<stock>
stock:dax
weather
Search for information about the weather of the given location
weather:<location>
weather:Miami
FOCA (Fingerprinting Organizations with Collected Archives)
✔️ Requisites
Cached and archival sites
archive.org
Wayback script
Bing - Yahoo - Ask - Aol - Pandastats.net - Dogpile.com
Whois Enumeration
The owner of a domain name
IP address or range
Technical contacts
Expiration data of the domain
For Example
amass & Sublister
Classless inter-Domain Routing (CIDR)
Ex: 163.144.128.0/24
An Autonomous Systen Number (ASN)
Regional internet Registeries (RIRs) AFRINIC, aRIN, lACNIC
EX: 54115
find a List ASN numbers
amass intel -org <company name here>
Subdomian
amass enum --active -d <domian >
amass enum --passive -d <domain>
amass intel -asn <asn number here>
amass intel -cidr <0.0.0.0/15>
amass intel -whois -d <domian>
OR Using asnmap Fast
ASN to CIDR Lookup
ORG to CIDR Lookup
DNS to CIDR Lookup
IP to CIDR Lookup
ASN/DNS/IP/ORG input
JSON/CSV/TEXT output
STD IN/OUT support
Open-Source Code (1/2)
Manual
Github
"Company" password
"Company" secret
"Company" cerdentials
"Company" tocken
"Company" config
"Company" key
"Company" pass
"Company" login
"Company" ftp
"Company" ssh_auth_password
"Company" pwd
"Company" security_credentials #LDAB (AD)
"Company" connectionstring #Data base
"Company" JDBC #Data base
"Company" send_key,send_keys
Scripts:
Gitrob or Gitleaks
Shoden & censys.io
any device connected to internet
server - router - iot devices
Using Dorks
hostname: uber.com
Last updated
