πInformation Gathering
Passive Information Gathering & OSINT
These techniques refer to gaining information from publicly available sources
By doing so, the attacker gains information about the target, without any type of active scanning
This ensures that the target will never be aware that we are obtaining information about it, since there is no form of direct interaction
External Resources:
Google Dorks
Google can be a powerful tool for penetration testing and bug-bounty hunting. Google's crawling capabilities can help us find exposed files, scripts and other critical resources in web applications.
This blogpost can be useful if you need to learn more about google dorks.
You can also refer to the following:
Domain Information using Crt.sh & Shodan
Output and Download JSON:
curl -s https://crt.sh/\?q\=test.com\&output\=json | jq .
Filter JSON by subdomains:
curl -s https://crt.sh/\?q\=test.com\&output\=json | jq . | grep name | cut -d":" -f2 | grep -v "CN=" | cut -d'"' -f2 | awk '{gsub(/\\n/,"\n");}1;' | sort -u
Make an ip-address wordlist:
for i in $(cat subdomainlist);do host $i | grep "has address" | grep [test.com](http://test.com/) | cut -d" " -f4 >> ip-addresses.txt;done
Run shodan on those ip addresses:
for i in $(cat ip-addresses.txt);do shodan host $i;done
Passive Domain Enumeration
Passive Infrastructure Identification
Active Information Gathering
By using active scans against the target, we can gain more (reliable) information about it
Whenever we are executing external scans, nmap and many other different tools can help us gain a lay of the land of the target surface
Protocols and Services Footprinting with NMAP
Scanning a target with nmap may reveal services, open ports, service versions, operating system and so on
After gaining a lay of the land of the protocols and services granted by the target, refer to the Protocols and Services Notes for more information
NMAP Scanning Options
NMAP Output Options
NMAP Performance Options
Vhosts, Subdomain and Web Content Fuzzing
Fuzz testing or Fuzzing is a Black Box software testing technique, which basically consists in finding implementation bugs using malformed/semi-malformed data injection in an automated fashion.
Fuzzing techniques can also be used to discover vhosts, subdomains and web content
Refer to the Fuzzing Notes for more information
Active Infrastructure Identification
Active Subdomain Enumeration
DNS Enumeration
Last updated