Tag: reconnaissance

OSINT

OSINT – Part 3

Information gathering types Passive During passive information gathering you should never send any type of traffic directly to the target. Passive I.G. allows the greatest amount of anonymity. Active During active information gathering you are sending requests to remote services and receiving responses based on the service type. This method includes, but is not limited …

OSINT

OSINT – Github Dorks

Github search is quite powerful and useful feature and can be used to search sensitive data on the repositories. Collection of Github dorks that can reveal sensitive personal and/or organizational information such as private keys, credentials, authentication tokens, etc. This list is supposed to be useful for assessing security and performing pentesting of systems. GitHub …

OSINT

OSINT – Part 2

Open-source intelligence (OSINT) is intelligence collected from publicly available sources. In the intelligence community (IC), the term “open” refers to overt, publicly available sources (as opposed to covert or clandestine sources); it is not related to open-source software or public intelligence. OSINT includes all publicly accessible sources of information, such as: – Media – Web-based …

OSINT

OSINT – Part 1

Open-source intelligence (OSINT) is intelligence collected from publicly available sources. In the intelligence community (IC), the term “open” refers to overt, publicly available sources (as opposed to covert or clandestine sources); it is not related to open-source software or public intelligence. OSINT includes all publicly accessible sources of information, such as: – Media – Web-based …

Hacking, OSINT, Penetration Testing, Reconnaissance

Passive information gathering

Search Engines Gather information using search engines results Google Bing Reverse IP lookup using Bing: IP:x.y.z.yIP:x.y.z.y Yahoo Social Networking Sites Gather information using social networking websites Google+ LinkedIn Instagram Facebook Twitter Online databases Gather information using online databases whois shodan netcraft robtex dnshistory Online Tools Gather information using online tools mxtoolbox domain tools SSL Server …

NMAP

Common nmap commands during Pentest

1. Discover live hosts nmap -n -sn -PE -oA live_hosts 192.168.1.0/24nmap -n -sn -PE -oA live_hosts 192.168.1.0/24 2. Discover open TCP ports nmap -sS -vv -p- -oA tcp_ports_65535 192.168.1.15nmap -sS -vv -p- -oA tcp_ports_65535 192.168.1.15 nmap -sS -vv -p- -Pn –reason –open -oA tcp_ports_65535 192.168.1.15nmap -sS -vv -p- -Pn –reason –open -oA tcp_ports_65535 192.168.1.15 nmap …

Footprinting, Hacking, Penetration Testing, Reconnaissance

Public documents harvester

Metagoofil is a tool for conducting public documents (pdf,doc,xls,ppt,etc) reconnaissance during a pen test. This information could be useful because you can get emails, usernames, people names etc for later use in bruteforce password attacks (vpn, ftp, webapps). Metagoofil has the ability to search Google for specific types of files being publicly hosted on a …

Hacking

Automated basic digital reconnaissance

InstaRecon is an automated basic digital reconnaissance tool, great for getting an initial footprint of your targets and discovering additional subdomains. InstaRecon will do: DNS lookups (A, PTR, MX, NS) DNS lookups recursively on all hosts discovered Whois (on domain and IP) lookups Google dorks looking for subdomains and URLs Shodan lookups Reverse DNS lookups …

Footprinting, Penetration Testing, Reconnaissance

IPGeoLocation 1.5 released

IPGeoLocation A tool to retrieve IP Geolocation information from ip-api.com. Github Requirements Python 3.x Features Retrieve Geolocation of IP or Domain. Run program with no arguments to get your IP Geolocation. Retrieve Geolocation of multiple IPs or Domains loaded from file. Each target in new line. Define your own custom User Agent string. Proxy support. …

Footprinting, Reconnaissance

SSL Protocol Scanner – Reconnaissance

sslscan – queries SSL/TLS enabled services, such as HTTPS, to discover supported cipher suites. The output includes prefered ciphers of the SSL service, the certificate and is in Text and XML formats. Usage: sslscan [Options] [host:port | host]sslscan [Options] [host:port | host] Options: –targets=<file> A file containing a list of hosts to check. Hosts can …