3.1 : Passive information gathering techniques

Basics

Passive information gathering is reconing targets info from the internet, without direct touchpoint, including the following assets:

• sub-domains
• emails
• features update
• system version
• social digital footprints
• domain name age
• history of change
• DNS records
• cred leaks

The key, is to identify possible attack surface.

public info & creds tree-passing

Google

• easy way to research somehow leaked credentials, panels, attack surfaces

  sub-domain enum

  site:google.com -"www.google.com"
  

  filetype

  site:google.com filetype:ppt
  

  intitle

  intitle:"admin panel" inurl:"/wp-admin"
  

  more
  https://www.exploit-db.com/google-hacking-database

sub-domain enum

Sublist3r

• Sub-domain enumeration

• using search engine to get sub-domains

  python3 sublist3r.py -d google.com -o output.txt
  

amass

• sub-domain enum solution built by Go
• its the fastest, most effecient solution
• can automate scan like this
  • got a-1.xxx.com , will auto scan a-2.xxx.com, a-3.. etc.
• get it on https://github.com/OWASP/Amass

rapid-7

• one of the best sub-domain enum
• https://nosec.org/home/detail/2241.html (Chinese)

Whois cli

• getting tired of google recaptcha? use cli version whois

  whois google.com
  

Email enum

theharvester

• Email enumeration

• using search engine to get emails

  theharvester -d cisco.com -b google >google.txt
  

features update

Web archive

• https://web.archive.org/web