DNS Records
Check site hosting
dig www.company.com +short
IP Ownership
whois 10.0.0.0
while read -r ip; do whois "$ip" > "whois_$ip.txt"; done < ips.txt
DNScan https://github.com/rbsec/dnscan
./dnscan.py -d www.company.com -w subdomains-100.txt
dnscan.py -d dev-%%.example.org
TODO:
- OWASP AMass
- Sn1per
- theHarvester
- Recon-ng 5
- Maltego
- Social Engineering Toolkit (SET)
- Nikto 2
- Spiderfoot
Active Endpoints
endpoint mapping administrative admin interface
Shodan https://www.shodan.io/
GHDB
Otherwise known as ‘Google Dorking’.
Title Searching
site:"linkedin.com" "companyname"
**intitle:** Find pages with a certain word in the title.
**intitle:apple** Return every page that contains the word "apple" in the title.
URL (Directory) Searching
**inurl:** Find pages with a certain word in the URL.
**inurl:apple** Return every page where "apple" appears in the URL.
Content (Page) Searching
**intext:** Find pages containing a certain word (or words) somewhere in the content.
**intext:apple** Return every page where "apple" appears in the body text.
Filetype Searching
**filetype:** Search for filetypes that Google understands.
**site:apple.com filetype:pdf** Return all PDFs on apple.com.
Other filetypes such as docx, pptx and xlsx also work. This could be combined with **intitle:report** to find all PDFs that have "report" in the name. Google does not understand all filetypes, so *inurl* could be used instead.
Timeframe Searching
**#..#:** Search for a range of numbers.
**site:apple.com filetype:pdf 2020..2022** Return all PDFs on apple.com which contain the numbers 2020, 2021 and 2022.
Useful for finding information constrained to a given timeframe.
Exclusion Searching
**site:apple.com -www -support** Return pages indexed on apple.com, excluding the _www_ and _support_ domains.
Exclude a phrase; useful for finding other subdomains.
Phases
Organisational
- Employees (Name/Role/Skills)
- Organisational Structure (C-Level targets)
- Site Locations (Physical)
- Business Relations (Supply chain vectors)
Technical
- Public-facing sites
- Mail Servers
- Remote Access Solutions
- Defensive Vendor Products (FW, Email Gateways, Proxies, Antivirus)
Types
Passive
- Google (GHDB)
- Shodan
- Censys
- Wigle
- 192.com
- Facebook
- Twitter
- LinkedIn
- MySpace
- Instagram
- Organisation/Company website
- WayBackMachine
Active
- Port scanning
- Website crawling
- Endpoint interaction (e.g. admin interface)
- Documents (exiftool, pdfinfo)
- Leaks (h8mail)
Tools
Spiderfoot Recon-NG theHarvester CeWL linbips
Cloud
Azure
MailSniper https://github.com/dafthack/MailSniper O365 Discovery
Get-GlobalAddressList -ExchHostname mail.domain.com -UserName domain\username -Password Spring2021 -OutFile gal.txt
Invoke-PasswordSprayO365 -Email user@domain.com -Password Password123
IP rotation thing? Need notes on this
Surface Mapping Tools
DNS/Subdomain Enumeration:
# dnscan
./dnscan.py -d example.com -w subdomains.txt
OWASP Amass (Enumeration & Mapping):
amass enum -d example.com -o amass.txt
Sn1per (Comprehensive Scanner):
sniper -d example.com
theHarvester (Emails, Users, Hosts):
theHarvester -d example.com -b linkedin
Recon-ng Framework:
recon-ng
# Modules:
# marketplace install all
# workspaces create example
User Identification
-
Hunter.io: Identify emails and domain naming conventions.
-
namemash.py: Generate email combinations. - namemash
Note
Lots more to add in here