Passive reconnaissance
Passive reconnaissance is the process of collecting information in a covert manner about an intended target without the target knowing what is occurring. Mainly is done searching information about the target on the Internet (Google, Linkedin, etc) and also searching for metadata (i.e. domain registers information, OSINT tools, etc).
Sites for passive reconnaissance
- https://shodan.io
- https://censys.io
- https://pastebin.com
- https://gist.github.com/search
- https://sitereport.netcraft.com/
- https://hunter.io Email recon
- https://www.netdb.io/ IOT search engine
- https://securitytrails.com/dns-trails DNS subdomains recon
- https://securityheaders.com/ HTTP headers recon
- https://www.wigle.net/ WIFI
- https://www.kitterman.com/spf/validate.html Validate SMTP SPF fields
- https://www.fraudmarc.com/dmarc-check Validate SMTP SPF/DMARC policies
- https://mxtoolbox.com/DMARC.aspx Validate SMTP SPF/DMARC policies
- https://dmarcian.com/dmarc-inspector/ Validate SMTP DMARC policy
- https://crt.sh Certificate Transparency Site
- Google Dorks
NIC databases:
- RIPE https://apps.db.ripe.net/db-web-ui/query
- ARIN http://whois.arin.net/ui/
- FCC https://www.fcc.gov/oet/ea/fccid
Commands
Direct lookup:
whois $DOMAIN
Reverse lookup:
whois $IP
Sniff network data (inside the target network):
wireshark
tcpdump -X -i $IFACE
Google hacks
"company|address" inurl:ip-address-lookup "company|address" inurl:domaintools
OSINT Frameworks
- Maltego https://www.paterva.com/web7/downloads.php
- theHarvester https://gbhackers.com/theharvester-information-gathering-tool/
theHarvester -d $DOMAIN -l 300 -b google
Active reconnaissance
Commands to execute inside the network to get which hosts are up and perform later on a port scanning to enumerate services (See Enumeration):
nmap -sn -PE $IP/24
netdiscover -r $IP/24
crackmapexec -t 100 $IP/24