Social Media: Gathers personal and organizational information for social engineering and intelligence.
Examples:
LinkedIn: Identifying key employees, organizational structure, and technology stack used.
Facebook/Twitter: Gathering personal information, behaviors, and affiliations.
Importance: Provides insights into potential targets, their roles, and publicly shared information that can be leveraged in social engineering attacks.
Job Boards: Identifies technologies and potential vulnerabilities based on job postings.
Examples:
Indeed/Glassdoor: Reviewing job listings to find out what technologies and skills are sought by the target organization.
Importance: Reveals information about the organization’s IT environment, security tools, and potential vulnerabilities based on required skills.
Scan Code Repositories: Searches for sensitive information and code vulnerabilities in public repositories.
Examples:
GitHub/GitLab: Searching for exposed credentials, API keys, or sensitive configuration files.
Importance: Uncovers potentially exploitable information and code vulnerabilities that can be used in an attack.
Domain Name System (DNS):
DNS Lookups: Retrieves domain configuration details.
Example: Using nslookup or dig to retrieve A, MX, and CNAME records.
Reverse DNS Lookups: Maps IP addresses to domain names.
Example: Using host command to find domains pointing to an IP address.
Importance: Helps map out the target’s network structure and identify potential entry points.
Cached Pages: Accesses historical web page versions to find removed or altered information.
Examples:
Wayback Machine: Viewing archived versions of a website to find old, possibly insecure configurations or sensitive information.
Importance: Provides access to information that has been removed or altered, which can be valuable in understanding historical security practices and changes.
Cryptographic Flaws: Identifies weaknesses in encryption implementations.
Examples:
SSL/TLS Analysis: Using tools like SSL Labs to assess the security of a website’s SSL/TLS configuration.
Importance: Detects vulnerabilities in encryption that could be exploited to intercept or manipulate data.
Password Dumps: Uses leaked credentials to find potential entry points.
Examples:
Have I Been Pwned: Checking if the target’s email addresses have been compromised in data breaches.
Importance: Provides potential entry points if reused or weak passwords are found in the dumps.
Purpose: To gather information about a target network, identifying its structure, devices, services, and potential vulnerabilities. This information is crucial for planning and executing further penetration testing activities.
Network Scanning
Purpose: Identifies active devices, open ports, and services.
Tools: Nmap, Angry IP Scanner.
Examples: Scanning a subnet to identify all active hosts.
Ping Sweeps
Purpose: Discovers active devices using ICMP echo requests.
Tools: Fping, Nmap.
Examples: Using fping to ping all devices in a subnet.
Port Scanning
Purpose: Identifies open ports and running services.
Tools: Nmap, Masscan.
Examples: Performing a SYN scan to identify open ports.
OS Fingerprinting
Purpose: Determines the operating system of a target device.
Tools: Nmap, Xprobe2.
Examples: Using Nmap’s OS detection feature.
Service Enumeration
Purpose: Gathers detailed information about services on open ports.
Tools: Nmap, Netcat.
Examples: Identifying the version of a web server running on port 80.
Network Mapping
Purpose: Creates a visual representation of the network topology.
Tools: Nmap with Zenmap, SolarWinds Network Topology Mapper.
Examples: Visualizing network scan results with Zenmap.
DNS Enumeration
Purpose: Gathers information about the target’s DNS infrastructure.
Tools: DNSRecon, Fierce.
Examples: Listing all DNS records for a target domain.
Purpose: Protocol scanning aims to identify open ports and the services running on them by sending packets to various ports on a target system. It helps in understanding which services are exposed and potentially vulnerable.
TCP Scanning
Purpose: Identifies open TCP ports and services by analyzing TCP packet responses.
Tools: Nmap, Masscan.
Types:
SYN Scan: Stealthy, sends SYN packets.
Connect Scan: Completes the TCP handshake, more detectable.
FIN, Xmas, Null Scans: Uses specific TCP flags to elicit responses from closed ports.
Examples:nmap -sS target_ip, nmap -sT target_ip.
UDP Scanning
Purpose: Identifies open UDP ports and services by sending UDP packets and analyzing responses.
Tools: Nmap, Unicornscan.
Examples:nmap -sU target_ip.
Challenges: Less reliable due to stateless nature of UDP and ICMP rate limiting.
Purpose: Monitors and audits digital certificates issued by Certificate Authorities (CAs) to detect malicious or misissued certificates.
Tools:
crt.sh: A website for searching Certificate Transparency logs.
Google Certificate Transparency: A project providing public logs of issued certificates.
Examples:
Using crt.sh to find all certificates issued for a target domain.
Importance: Helps identify rogue or unexpected certificates, which can indicate potential man-in-the-middle (MITM) attacks or unauthorized domain usage.
Purpose: Identifies and analyzes protocols used in IoT and OT environments.
Examples:
Modbus, DNP3: Commonly used in industrial control systems (ICS).
MQTT, CoAP: Used in IoT communication.
Importance: Understanding these protocols helps in identifying vulnerabilities specific to IoT and OT environments, which are often overlooked but critical for industrial and smart devices.
Purpose: Archive of web pages; allows viewing of historical versions of websites.
Usage: Check past versions of a target site for exposed sensitive information or vulnerabilities.
Example: Visiting archive.org to look at past snapshots of target_site.com.
Maltego
Purpose: Data mining tool; visualizes relationships between people, companies, domains, etc.
Maltego is a powerful data mining and link analysis tool developed by Paterva.
It is used for gathering and connecting information across various platforms, helping users visualize complex relationships among people, groups, websites, domains, networks, and other entities.
Maltego is widely utilized in cybersecurity, open-source intelligence (OSINT), forensic investigations, and threat intelligence.
Usage: Generate graphs that display the interconnections between different pieces of information.
Example: Using Maltego to map out relationships between email addresses, domains, and social media profiles.
Recon-ng
Purpose: Open-source web reconnaissance framework.
Usage: Automate the process of gathering open-source intelligence.
Example: Running modules in Recon-ng to gather email addresses from a domain.
Purpose: Search engine for Internet-connected devices.
Usage: Find devices with specific vulnerabilities or configurations.
Example: Using Shodan to find all exposed webcams.
Command: shodan search "webcamxp"
SpiderFoot
Purpose: Automated OSINT tool; collects data from various sources.
SpiderFoot is an open-source intelligence (OSINT) automation tool used for reconnaissance and information gathering.
It automates the process of collecting intelligence on IP addresses, domain names, email addresses, and other entities.
SpiderFoot scans multiple data sources to build a detailed profile of the target, making it a valuable tool for penetration testers, security researchers, and threat analysts.
Usage: Automate the collection of information about a target.
Example: Running a scan in SpiderFoot to gather data on a target domain.
Command: python3 spiderfoot.py -s target.com
WHOIS
Purpose: Look up domain registration information.
Usage: Find ownership and contact information for a domain.
Example: Using a WHOIS lookup tool to find the registrant’s information for target.com
Command: whois target.com
nslookup/dig
Purpose: DNS lookup utilities.
Usage: Retrieve DNS records for a domain.
Example:
nslookup:nslookup target.com
dig:dig target.com
Censys.io
Purpose: Search engine for internet-connected devices.
Usage: Find devices, services, and vulnerabilities.
Example: Searching Censys for devices running specific software versions.
Hunter.io
Purpose: Email address search engine.
Usage: Find email addresses associated with a domain.
Example: Using Hunter.io to find contact emails for target.com.
DNSdumpster
Purpose: DNS recon and research tool.
DNSdumpster is an online tool that provides comprehensive domain reconnaissance by performing DNS enumeration and gathering information about the DNS infrastructure of a given domain.
It helps security researchers, penetration testers, and IT professionals map out the external network infrastructure associated with a domain, including subdomains, mail servers, and other DNS records.
Usage: Find DNS records and subdomains for a target.
Example: Using DNSdumpster to find subdomains for target.com.
Amass
Purpose: In-depth DNS enumeration tool.
Amass is an open-source tool developed by the OWASP (Open Web Application Security Project) foundation, designed for in-depth network mapping and external asset discovery.
It is particularly effective for DNS enumeration, subdomain discovery, and reconnaissance.
Amass uses multiple techniques to gather information about a target domain, including active and passive methods, and integrates data from various sources to provide comprehensive results.
Usage: Discover subdomains and map out network structures.
Example: Running Amass to enumerate subdomains of target.com.
Command: amass enum -d target.com
Nmap
Purpose: Network scanning tool.
Usage: Discover hosts and services on a network.
Example:
Basic Scan: nmap target_ip
Nmap Scripting Engine (NSE): Extend Nmap functionality with scripts.
Example Script: nmap --script http-enum target_ip
theHarvester
Purpose: Gather emails, subdomains, hosts, and more from public sources.
Usage: OSINT gathering tool.
Example:theHarvester -d target.com -b google
WiGLE.net
Purpose: Wireless network mapping service.
WiGLE.net (Wireless Geographic Logging Engine) is an online service that aggregates data on the locations of wireless networks worldwide.
It collects information about Wi-Fi networks (SSIDs, BSSIDs, GPS coordinates, etc.) and allows users to search, map, and analyze this data.
WiGLE is popular among security researchers, penetration testers, and wireless network enthusiasts for discovering and mapping Wi-Fi networks.
Usage: Find and map Wi-Fi networks.
Example: Searching WiGLE.net for Wi-Fi networks in a specific area.
InSSIDer
Purpose: Wi-Fi network scanner.
Usage: Identify Wi-Fi networks and their configurations.
Example: Using InSSIDer to scan for nearby Wi-Fi networks.
OSINTframework.com
Purpose: Collection of OSINT tools and resources.
Usage: Reference for various OSINT tools.
Example: Visiting OSINTframework.com to find tools for a specific type of OSINT task.
Wireshark/tcpdump
Purpose: Network protocol analyzers.
Usage: Capture and analyze network traffic.
Example:
Wireshark: Using the graphical interface to capture packets.
tcpdump:tcpdump -i eth0 -w capture.pcap
Aircrack-ng
Purpose: Suite of tools for Wi-Fi network security assessment.
Usage: Capture and crack WEP/WPA-PSK keys.
Example:
Capturing packets: airodump-ng wlan0
Cracking a WPA handshake: aircrack-ng -w wordlist.txt -b target_bssid capture_file.cap