# Information Gathering
## **Passive Information Gathering & OSINT**
* These techniques refer to gaining information from publicly available sources
* By doing so, the attacker gains information about the target, without any type of active scanning
* This ensures that the target will never be aware that we are obtaining information about it, since there is no form of direct interaction
External Resources:
1.
2.
3.
***
### Google Dorks
Google can be a powerful tool for penetration testing and bug-bounty hunting.\
Google's crawling capabilities can help us find exposed files, scripts and other critical resources in web applications.
This [blogpost](https://www.freecodecamp.org/news/google-dorking-for-pentesters-a-practical-tutorial/) can be useful if you need to learn more about google dorks.
You can also refer to the following:
*
*
Generic Queries
`site:*.target.com intext:uncaught`
`site:*.target.com intext:error`
`site:*.target.com intext:parameter`
`site:*.target.com intext:missing`
`site:*.target.com intext:"stack trace"`
`site:*.target.com intext:php`
`site:*.target.com intext:jsp`
`site:*.target.com intext:asp`
`site:*.target.com intext:include_path`
`site:*.target.com intext:undefined`
`site:*.target.com intext:sql`
`site:*.target.com intext:invalid`
`site:*.target.com intext:exception`
`site:*.target.com intext:fatal`
`site:*.target.com intext:CONFIG`
`site:*.target.com intext:login`
`site:*.target.com intitle:"index of"`
`site:*.target.com inurl:prod`
`site:*.target.com inurl:&`
`site:*.target.com inurl:dev`
`site:*.target.com inurl:staging`
`site:*.target.com inurl:stg`
`site:*.target.com inurl:debug`
`site:*.target.com inurl:admin`
`site:*.target.com inurl:internal`
Apache Services
`site:*.target.com intitle:"apache tomcat/"`
`site:*.target.com "Apache Tomcat examples"`
`site:*.target.com intext:"apache"`
`site:*.target.com intitle:"Solr Admin"`
`site:*.target.com intext:"This is the default welcome page used to test the correct operation of the Apache2 server"`
`site:*.target.com intitle:"index of" "powered by apache "`
`site:*.target.com intext:"Apache server status for"`
`site:*.target.com intitle:"Apache2 Ubuntu Default Page: It works"`
`site:*.target.com intitle:"WAMPSERVER homepage" "Server Configuration" "Apache Version"`
`site:*.target.com intitle:"Test Page for the Apache HTTP Server"`
Files
`site:*.target.com ext:txt`
`site:*.target.com ext:php`
`site:*.target.com ext:php5`
`site:*.target.com ext:phtml`
`site:*.target.com ext:xhtml`
`site:*.target.com ext:key`
`site:*.target.com ext:pem`
`site:*.target.com ext:ovpn`
`site:*.target.com ext:log`
`site:*.target.com ext:asp`
`site:*.target.com ext:aspx`
`site:*.target.com ext:jsp`
`site:*.target.com ext:dat`
`site:*.target.com ext:ovpn`
`site:*.target.com ext:yml`
`site:*.target.com ext:bak`
`site:*.target.com ext:zip`
`site:*.target.com ext:yaml`
`site:*.target.com ext:json`
`site:*.target.com ext:xml`
`site:*.target.com ext:env`
`site:*.target.com ext:conf`
`site:*.target.com ext:ini`
`site:*.target.com ext:cfg`
`site:*.target.com ext:cgi`
`site:*.target.com ext:ccm`
`site:*.target.com ext:sql`
`site:*.target.com ext:cdx`
`site:*.target.com ext:ics`
GraphQL queries
`site:*.target.com intext:"GRAPHQL_PARSE_FAILED"`
`site:*.target.com intext:"GRAPHQL_VALIDATION_FAILED"`
`site:*.target.com intext:"BAD_USER_INPUT"`
`site:*.target.com intext:"UNAUTHENTICATED"`
`site:*.target.com intext:"FORBIDDEN"`
`site:*.target.com intext:"PERSISTED_QUERY_NOT_FOUND"`
`site:*.target.com intext:"PERSISTED_QUERY_NOT_SUPPORTED"`
`site:*.target.com intext:"INTERNAL_SERVER_ERROR"`
***
### **Domain Information using Crt.sh & Shodan**
1. Output and Download JSON:\
`curl -s https://crt.sh/\?q\=test.com\&output\=json | jq .`
2. Filter JSON by subdomains:\
`curl -s https://crt.sh/\?q\=test.com\&output\=json | jq . | grep name | cut -d":" -f2 | grep -v "CN=" | cut -d'"' -f2 | awk '{gsub(/\\n/,"\n");}1;' | sort -u`
3. Make an ip-address wordlist:\
`for i in $(cat subdomainlist);do host $i | grep "has address" | grep [test.com](http://test.com/) | cut -d" " -f4 >> ip-addresses.txt;done`
4. Run shodan on those ip addresses:\
`for i in $(cat ip-addresses.txt);do shodan host $i;done`
***
### **Passive Domain Enumeration**
| Resource/Command | Description |
| --------------------------------------------------------------------------------------------------------------------- | ---------------------------------------------------------------------------------------------- |
| VirusTotal | |
| Censys | |
| Crt.sh | |
| curl -s \| jq -r '.\[]' \| sort -u | All subdomains for a given domain. |
| curl -s \| jq -r '.\[]' \| sort -u | All TLDs found for a given domain. |
| curl -s \| jq -r '.\[]' \| sort -u | All results across all TLDs for a given domain. |
| curl -s \| jq -r '.\[]' \| sort -u | Reverse DNS lookup on IP address. |
| curl -s \| jq -r '.\[]' \| sort -u | Reverse DNS lookup of a CIDR range. |
| curl -s "" \| jq -r '.\[] \| "(.name\_value)\n(.common\_name)"' \| sort -u | Certificate Transparency. |
| cat sources.txt \| while read source; do theHarvester -d "${TARGET}" -b $source -f "${source}-${TARGET}";done | Searching for subdomains and other information on the sources provided in the source.txt list. |
| | Search public information about a hostname using netcraft |
***
### **Passive Infrastructure Identification**
| Resource/Command | Description |
| ----------------------------------------------------- | ---------------------------------------------------------- |
| Netcraft | |
| WayBackMachine | |
| WayBackURLs | |
| waybackurls -dates https\://$TARGET > waybackurls.txt | Crawling URLs from a domain with the date it was obtained. |
***
## **Active Information Gathering**
* By using active scans against the target, we can gain more (reliable) information about it
* Whenever we are executing external scans, nmap and many other different tools can help us gain a lay of the land of the target surface
***
### **Protocols and Services Footprinting with NMAP**
* Scanning a target with nmap may reveal services, open ports, service versions, operating system and so on
* After gaining a lay of the land of the protocols and services granted by the target, refer to the Protocols and Services Notes for more information
***
**NMAP Scanning Options**
| Nmap Option | Description |
| -------------------- | -------------------------------------------------------------------------------------------------------------------- |
| `10.10.10.0/24` | Target network range. |
| `-sn` | Disables port scanning. |
| `-Pn` | Disables ICMP Echo Requests |
| `-n` | Disables DNS Resolution. |
| `-PE` | Performs the ping scan by using ICMP Echo Requests against the target. |
| `--packet-trace` | Shows all packets sent and received. |
| `--reason` | Displays the reason for a specific result. |
| `--disable-arp-ping` | Disables ARP Ping Requests. |
| `--top-ports=` | Scans the specified top ports that have been defined as most frequent. |
| `-p-` | Scan all ports. |
| `-p22-110` | Scan all ports between 22 and 110. |
| `-p22,25` | Scans only the specified ports 22 and 25. |
| `-F` | Scans top 100 ports. |
| `-sS` | Performs an TCP SYN-Scan. |
| `-sA` | Performs an TCP ACK-Scan. Note: best for firewall and ids/ips evasion |
| `-sU` | Performs an UDP Scan. |
| `-sV` | Scans the discovered services for their versions. |
| `-sC` | Perform a Script Scan with scripts that are categorized as "default". |
| `-sL` | List Scan - simply list targets to scan - useful to understand which targets are reachable |
| `--script