## whois: Gather basic info of a domain, including registrant name and nameserver. ```bash whois <domain.com> | less # forward search whois <ip address> | less # reverse lookup with ip address ``` ## Google Hacking google search strategy **site:** search only a specific domain **filetype:** limit result to specified filetype **-:** minus sign means exclusion **intitle:** keyword in title ``` site:megacorpone.com -filetype:php # exclude php file in megacorpone.com intitle:"index of" "parent directory" # "index of" in title and "parent directory" in body ``` ## Netcraft https://searchdns.netcraft.com Gather info passively. For each server, can view a site report. ## Recon-ng Module based info gathering. Pass info from module to module. Store found data into local db, stored info can be fed to other modules. ## Open Source Code ### GitHub filename:users (search strategy) ## Shodan Search for internet connected devices, not only regular websites. hostname:megacorpone.com (search strategy) ## Security Headers Scanner Find missing security headers ## SSL Server Test https://www.ssllabs.com/ssltest ## Pastebin A website for storing text. ## User Information Gathering Gather info of employees. ## Email Harvesting theharvesterer theharvesterer `theharvesterer -d megacorpone.com -b google`, -b for data source to search. ## Password Dumps rockyou.txt: list of passwords `/usr/share/wordlists/rockyou.txt.gz` ## Social Media Tools ### Social-Searcher Search in social media sites. https://www.social-searcher.com ### Site-Specific Tools https://digi.ninja/projects/twofi.php ### Stack Overflow ## Information Gathering Frameworks ### OSINT Framework https://osintframework.com ### Maltego Data mining tool. https://www.paterva.com/index.php