# Reconnaissance

### Passive/Active Information Gathering

#### Active Reconnaissance

In this process, you will directly interact with the computer system to gain information. This information can be relevant and accurate. But there is a risk of getting detected if you are planning active reconnaissance without permission. If you are detected, then system admin can take severe action against you and trail your subsequent activities.

#### Passive Reconnaissance

In this process, you will not be directly connected to a computer system. This process is used to gather essential information without ever interacting with the target systems

A good start for this is the OSINT Framework, which provides a powerfull wiki: [https://www.osintframework.com ](https://www.osintframework.com/)

<div align="left"><img src="https://3977837039-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-MfT0VPyK6X13Egd9pzy%2F-Mg6c9MtNPMaQo4EkIcR%2F-Mg6fSKej6tRzXlzBlrX%2Fosint01.png?alt=media&#x26;token=b45f1639-4fec-49ed-85d5-05b7817e094c" alt="The OSINT Framework wiki"></div>

The list is huge and I'll just cover a few of them, which I also used during the CAS.

### Find Email Adresses

Hunter: <https://hunter.io/search/>

![huntio.io search field (you need to register if you want to see results)](https://3977837039-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-MfT0VPyK6X13Egd9pzy%2F-Mg6fZeqi5WCGY9xU9Q2%2F-Mg7LZmHAZwt6EB9dBmj%2Fosint02.png?alt=media\&token=15cc8a1e-8ff7-40ad-ab6d-969c04d4ccf4)

Results looks like this:

![Gathered e-mail addresses from domain csnc.ch](https://3977837039-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-MfT0VPyK6X13Egd9pzy%2F-Mg6fZeqi5WCGY9xU9Q2%2F-Mg7Nosc3vVPgDcBC1N1%2Fosint03.png?alt=media\&token=87c2b1db-f58c-410c-966c-fc87bdc2b7e1)

Another cool tool is called theHarvester: <http://www.edge-security.com/theharvester.php>&#x20;

> theHarvester -d csnc.ch -l 1000 -b bing

<div align="left"><img src="https://3977837039-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-MfT0VPyK6X13Egd9pzy%2F-Mg6fZeqi5WCGY9xU9Q2%2F-Mg7SjkjiBT2e9EP7ARg%2Fosint04.png?alt=media&#x26;token=3aebe3bd-8f84-42f6-8ebe-b00dd059578b" alt="Output from theHarvester"></div>

Another useful tool to check if a gathered e-mail adress is valid or not can be: <https://www.mailboxvalidator.com/demo>

![sample input for mail adress](https://3977837039-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-MfT0VPyK6X13Egd9pzy%2F-Mg6fZeqi5WCGY9xU9Q2%2F-Mg7VDJm0_-hNKZRDprV%2Fosint05.png?alt=media\&token=9d6f4333-f2e2-4330-9d93-badb17d19332)

Result:

![sample above belongs to a Catch-all domain](https://3977837039-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-MfT0VPyK6X13Egd9pzy%2F-Mg6fZeqi5WCGY9xU9Q2%2F-Mg7WNHQ5CNPmh_udbcl%2Fosint06.png?alt=media\&token=cb359304-e9ce-49f9-a9df-ac6dc36f55f9)

### Check e-mail adress for breached data:

{% embed url="<https://haveibeenpwned.com/>" %}

{% embed url="<https://dehashed.com/>" %}

### Subdomain and Certificate Search

{% embed url="<https://pentest-tools.com/information-gathering/find-subdomains-of-domain#>" %}

{% embed url="<https://crt.sh/>?" %}

{% embed url="<https://search.censys.io/>" %}

{% embed url="<https://spyse.com/>" %}

### Vulnerability search

{% embed url="<https://github.com/1N3/Sn1per>" %}

### DNS Enumeration

{% embed url="<https://dnsdumpster.com/>" %}

### Reconnaisance Tools

{% embed url="<https://www.spiderfoot.net/>" %}

This is just a short overview! For more ressources please check out the OSINT Framework Website :)