search

Reconnaissance

Reconnaissance is a set of processes and techniques (Footprinting, Scanning & Enumeration) used to covertly discover and collect information about a target system.

hashtag
Passive/Active Information Gathering

hashtag
Active Reconnaissance

In this process, you will directly interact with the computer system to gain information. This information can be relevant and accurate. But there is a risk of getting detected if you are planning active reconnaissance without permission. If you are detected, then system admin can take severe action against you and trail your subsequent activities.

hashtag
Passive Reconnaissance

In this process, you will not be directly connected to a computer system. This process is used to gather essential information without ever interacting with the target systems

A good start for this is the OSINT Framework, which provides a powerfull wiki: https://www.osintframework.com arrow-up-right

The OSINT Framework wiki

The list is huge and I'll just cover a few of them, which I also used during the CAS.

hashtag
Find Email Adresses

Hunter: https://hunter.io/search/arrow-up-right

huntio.io search field (you need to register if you want to see results)

Results looks like this:

Gathered e-mail addresses from domain csnc.ch

Another cool tool is called theHarvester: http://www.edge-security.com/theharvester.phparrow-up-right

theHarvester -d csnc.ch -l 1000 -b bing

Output from theHarvester

Another useful tool to check if a gathered e-mail adress is valid or not can be: https://www.mailboxvalidator.com/demoarrow-up-right

sample input for mail adress

Result:

sample above belongs to a Catch-all domain

hashtag
Check e-mail adress for breached data:

LogoHave I Been Pwned: Check if your email address has been exposed in a data breachHave I Been Pwnedchevron-right
LogoDeHashed โ€” #FreeThePassworddehashed.comchevron-right

hashtag
Subdomain and Certificate Search

LogoFree subdomain finder online ๐Ÿ›ก๏ธ find subdomains of domainPentest-Tools.comchevron-right
Logocrt.sh | Certificate Searchcrt.shchevron-right
LogoCensys SearchCensyschevron-right
https://spyse.com/spyse.comchevron-right

hashtag
Vulnerability search

LogoGitHub - 1N3/Sn1per: Attack Surface Management PlatformGitHubchevron-right

hashtag
DNS Enumeration

LogoDNSDumpster - Find & lookup dns records for recon & researchDNSDumpster.comchevron-right

hashtag
Reconnaisance Tools

LogoAttack Surface Exposurewww.spiderfoot.netchevron-right

This is just a short overview! For more ressources please check out the OSINT Framework Website :)

PreviousStartNextOpensource Intelligence

Last updated