Passive Information Gathering

Passive Information Gathering is the process of collecting openly available information about a target, generally without any direct interaction with that target.

Website Recon

• Just browse the site
  • About page to get email and similar files
    • understand the email schema
  • Social Media presence

Whois Enumeration

• Forward lookup: whois domain.tld | less
  • Get the name of the person in charge (probably high privilege)
  • Get the NameServers
• Reverse lookup: whois 1.1.1.1 | less
  • Get who is hosting the IP

Google Hacking

• Using Search engines and their operators to uncover information
  • site:: Limit the results to a single domain
  • ext: or filetype:: Limit the results to a specific filetype
  • prepend - to remove certain results
  • intitle:"index of" "parent directory": Directory listing pages
• https://exploit-db.com/google-hacking-database

For more, see Dorking

Netcraft

• https://searchdns.netcraft.com: Search for domains containing xyz
  • https://sitereport.netcraft.com/?url=http://identity.swissre.com
    • Find technologies used by the site

Recon-ng

• Run: recon-ng
• marketplace search github: search for modules that contain github
  • K marks that the module needs some soft of credentials
  • https://github.com/lanmaster53/recon-ng-marketplace/wiki/API-Keys
• marketplace info recon/domains-hosts/google_site_web: get more information about a specific module
• marketplace install recon/domains-hosts/google_site_web: Install a module
• marketplace load recon/domains-hosts/google_site_web: Load a module
  • Once loaded type info help
  • options set SOURCE megacropone.com: to set the SOURCE option
  • run: to run the module
• recon-ng: Stores its output into a local database and uses it for other modules
  • show hosts: to show the hosts database

Open-Source Code

• Search for the languages and sensitive data on Github, GitLab or SourceForge
  • Github
    • user:
    • filename:
    • https://github.com/michenriksen/gitrob
    • https://github.com/zricethezav/gitleaks

Shodan

• https://shodan.io
  • Searches to any devices connected to the internet, not just web server
  • hostname:megacorpone.com

Security Headers Scanner

• Scan the security headers of a site: https://securityheaders.com

SSL Server Test

• Search for SSL/TLS vulnerabilities: https://www.ssllabs.com/ssltest
• Get a feel for the security practices of a org

Pastebin

• https://pastebin.com/

User Information Gathering

• Gather information on the employees to:
  • Define password lists
  • Social Engineering
  • Phishing
  • Credential Stuffing
  • etc.

Email Harvesting

• Search multiple sources: theharvester -d megacorpone.com -b google

Social Media Tools

• Identify employees and the companies structure
• https://social-searcher.com

Site-Specific Tools

• Search a Twitter feed and generate a wordlist: https://digi.ninja/projects/twofi.php
• Generate username lists based on a LinkedIn Org. https://github.com/initstring/linkedin2username

Social Media Tools

Stack Overflow

• https://stackoverflow.com
• If we can link a user to a stack overflow account we can see what questions their asking to determine the tech stack

Information Gathering Frameworks

OSINT Framework

• https://osintframework.com

Maltego

• https://www.paterva.com/index.php
• Included in Kali

Relevant Note(s): Active Information Gathering Penetration Testing