Skip to main content

PIG-Passive_Information_Gathering

whois:

Gather basic info of a domain, including registrant name and nameserver.

whois <domain.com> | less			# forward search
whois <ip address> | less # reverse lookup with ip address

Google Hacking

google search strategy

site: search only a specific domain

filetype: limit result to specified filetype

-: minus sign means exclusion

intitle: keyword in title

site:megacorpone.com -filetype:php	# exclude php file in megacorpone.com
intitle:"index of" "parent directory" # "index of" in title and "parent directory" in body

Netcraft

https://searchdns.netcraft.com

Gather info passively.

For each server, can view a site report.

Recon-ng

Module based info gathering. Pass info from module to module.

Store found data into local db, stored info can be fed to other modules.

Open Source Code

GitHub

filename:users (search strategy)

Shodan

Search for internet connected devices, not only regular websites.

hostname:megacorpone.com (search strategy)

Security Headers Scanner

Find missing security headers

SSL Server Test

https://www.ssllabs.com/ssltest

Pastebin

A website for storing text.

User Information Gathering

Gather info of employees.

Email Harvesting

theharvesterer

theharvesterer

theharvesterer -d megacorpone.com -b google, -b for data source to search.

Password Dumps

rockyou.txt: list of passwords

/usr/share/wordlists/rockyou.txt.gz

Social Media Tools

Social-Searcher

Search in social media sites.

https://www.social-searcher.com

Site-Specific Tools

https://digi.ninja/projects/twofi.php

Stack Overflow

Information Gathering Frameworks

OSINT Framework

https://osintframework.com

Maltego

Data mining tool.

https://www.paterva.com/index.php