Skip to content

Latest commit

 

History

History
182 lines (104 loc) · 4.86 KB

recon.md

File metadata and controls

182 lines (104 loc) · 4.86 KB

Information Gathering

Passive reconnaissance

➡️ Physical engagement / Social engineering

  • Location information like
    • satellite images
    • drone recon
    • building layout (badge readers, security, fencing, etc)
  • Job information
    • employees (name, job title, phone number, etc)
    • pictures (badge photos, desk photos, computer photos, etc)

➡️ Web / Host Assessment

  • target validation
    • whois, nslookup, dnsrecon
  • finding subdomains
    • Google, dig, nmap, crt.sh, etc
  • fingerprinting
    • nmap, wappalyzer, netcat, etc
  • data breaches

Target

❗ Always refer to a Bug Bounty program to find valid targets that can be legally tested

🔗 Bugcrowd

  • Read the program details, follow the terms and stay in scope
  • Following test will be made on the *.tesla.com target

Discovering email addresses

  • The goal is discovering public email addresses and check if they really exist

➡️ Hunter.io (free registration) - Find email addresses from any company name or website

Hunter.io

➡️ Phonebook.cz (free registration) - Phonebook lists all domains, email addresses, or URLs for the given input domain

➡️ VoilaNorbert

➡️ Clearbit Connect (Chrome extension)

➡️ EmailHippo Email address verifiy - Free email address verification tool

➡️ Email-checker

Breached credentials

➡️ HaveIBeenPwned - Check if your email address is in a data breach

➡️ breach-parse - A tool for parsing breached passwords

  • BreachCompilation password list (44GB) file comes from breached password dumps
breach-parse @tesla.com tesla.txt "~/Downloads/BreachCompilation/data"

Credential stuffing and Password spraying can be done using the results.

➡️ DeHashed.com (subscription) - public data search-engine

  • Hashed passwords or other data can be found
  • Collect all the data (email, username, IP, address, etc) with the goal to find patterns, that could be related to personal accounts too
  • Investigation to tie the data to other accounts, etc
  • Use tools to try to decrypt the hashed password, like Hashes.com, Google, etc

DeHashed.com

Hunting subdomains

Identify subdomains

➡️ Sublist3r (outdated) - enumerate subdomains of websites using OSINT

sudo apt install sublist3r
sublist3r -d tesla.com

sublist3r -d tesla.com -t 100 -v

➡️ crt.sh - look for registered certificates and find subdomains or sub-subdomains

crt.sh

➡️ amass - in-depth attack surface mapping and asset discovery

sudo apt install amass
amass enum -d tesla.com

amass enum -d syselement.com

amass enum -d tesla.com

amass enum -d syselement.com

➡️ httprobe - take a list of domains and probe for working (alive) http and https servers

Website technologies

➡️ BuiltWith.com - find out what websites are built with

BuiltWith.com

➡️ Wappalyzer.com - via browser extension

  • by visiting the webpage, interact with the browser extension to check the website technologies

➡️ WhatWeb

whatweb https://blog.syselement.com/

Using Burpsuite

➡️ Burp Suite

Google Fu

➡️ Google.com

site:tesla.com filetype:pdf

Social Media

  • Linkedin, Twiter (X) or other public websites can be used for some social media OSINT (Open-Source Intelligence).