PIG-Passive_Information_Gathering
whois:
Gather basic info of a domain, including registrant name and nameserver.
whois <domain.com> | less # forward search
whois <ip address> | less # reverse lookup with ip address
Google Hacking
google search strategy
site: search only a specific domain
filetype: limit result to specified filetype
-: minus sign means exclusion
intitle: keyword in title
site:megacorpone.com -filetype:php # exclude php file in megacorpone.com
intitle:"index of" "parent directory" # "index of" in title and "parent directory" in body
Netcraft
https://searchdns.netcraft.com
Gather info passively.
For each server, can view a site report.
Recon-ng
Module based info gathering. Pass info from module to module.
Store found data into local db, stored info can be fed to other modules.
Open Source Code
GitHub
filename:users (search strategy)
Shodan
Search for internet connected devices, not only regular websites.
hostname:megacorpone.com (search strategy)
Security Headers Scanner
Find missing security headers
SSL Server Test
https://www.ssllabs.com/ssltest
Pastebin
A website for storing text.
User Information Gathering
Gather info of employees.
Email Harvesting
theharvesterer
theharvesterer
theharvesterer -d megacorpone.com -b google, -b for data source to search.
Password Dumps
rockyou.txt: list of passwords
/usr/share/wordlists/rockyou.txt.gz
Social Media Tools
Social-Searcher
Search in social media sites.
https://www.social-searcher.com
Site-Specific Tools
https://digi.ninja/projects/twofi.php
Stack Overflow
Information Gathering Frameworks
OSINT Framework
Maltego
Data mining tool.