Tools

  • Craal (GitHub, Pastebin, S3 Buckets, Protoxin, CertStream): https://github.com/jaylagorio/craal
  • Semi-automatic OSINT framework and package manager: https://github.com/kpcyrd/sn0int
  • Discover and extract hostnames providing a large set of target IP addresses: -https://github.com/SpiderLabs/HostHunter
  • sslyze - Fast and powerful SSL/TLS server scanning library.
  • https://github.com/BishopFox/GitGot

Email

TheHarvester

theharvester -­‐d cisco.com -­‐b google
theharvester -­‐d cisco.com -­‐b bing
  • Dmain Registrations
  • https://domainbigdata.com
  • https://viewdns.info/
  • https://pulsedive.com/
  • https://www.apnic.net/static/whowas-ui/
  • Archive
  • https://archive.org/
  • Similar websites
  • https://similarsites.com/
  • Subdomains
  • Finds subdomains in google, bing, etc: python theHarvester.py -l 500 -b all -d $ip
  • Generates permutations, alterations and mutations of subdomains and then resolves them: https://github.com/infosec-au/altdns
  • https://github.com/aboul3la/Sublist3r
    • Sublist3r enumerates subdomains using many search engines such as Google, Yahoo, Bing, Baidu, and Ask. Sublist3r also enumerates subdomains using Netcraft, Virustotal, ThreatCrowd, DNSdumpster, and ReverseDNS.
  • SubFinder is a subdomain discovery tool that discovers valid subdomains for websites: https://github.com/subfinder/subfinder
  • Knockpy is a python tool designed to enumerate subdomains on a target domain through a wordlist: https://github.com/guelfoweb/knock
  • https://findsubdomains.com/
  • https://pentest-tools.com/information-gathering/find-subdomains-of-domain
  • Abusing Certificate Transparency logs for getting HTTPS websites subdomains: https://github.com/UnaPibaGeek/ctfr
  • https://github.com/subfinder/subfinder
  • Source Code Analysis
  • https://publicwww.com/
  • https://nerdydata.com/
  • Analytic ID cross referencing
  • http://analyzeid.com/
  • SSL Certificates
  • https://certdb.com/
  • https://crt.sh/
  • Whois API
  • https://www.whoisxmlapi.com/
  • https://www.whoxy.com/

  • OSINT tool for visualizing relationships between domains, IPs and email addresses: https://hackernoon.com/osint-tool-for-visualizing-relationships-between-domains-ips-and-email-addresses-94377aa1f20a

Subdomain to IP

  • Bouncing through an old expired domain. Trusted in all lists.
  • W/ a single target domain url, enumerate subdomains.
  • Subdomains > IP Addresses > ARIN crawl for more CIDRs.

    https://twitter.com/TinkerSec/status/1097912618663243783

OSINT-SPY

Performs OSINT scan on email/domain/ip_address/organization.

  • https://www.kitploit.com/2019/02/osint-spy-search-using-osint-open.html
  • https://github.com/SharadKumar97/OSINT-SPY

Services

  • https://www.shodan.io
  • Find compromised NoSQL systems from Shodan JSON export: https://gist.github.com/n0x08/39c4fef373d0ac02d61da5d1d3865ce5
  • https://censys.io/
  • https://www.zoomeye.org/

  • https://www.binaryedge.io/

  • https://viz.greynoise.io/table

  • https://fofa.so/

  • https://www.onyphe.io/
  • https://hunter.io/
  • https://wigle.net/
  • https://ghostproject.fr/
  • https://www.onyphe.io/

  • https://inteltechniques.com/blog/2018/09/30/breach-data-search-engines-comparison/

OS (VM)

  • Buscador Investigative Operating System: https://inteltechniques.com/buscador/

AQUATONE

visual inspection of websites across a large amount of hosts and is convenient for quickly gaining an overview of HTTP-based attack surface.

  • GitHub: https://github.com/michenriksen/aquatone

Social

  • LikedIn: https://github.com/vysecurity/LinkedInt

ReconNG

General commands:

show modules
keys list

workspace add

show schema
show domains
show hosts
add companies
add domains

search reporting
show dashboard

Import emails from harvester, etc.:

set TABLE contacts
set COLUMN email
set FILENAME united_emails.txt
run

Search Showdan for host names:

use recon/domains-hosts/shodan_hostname
run
show hosts
show ports

Reporting:

use report/list
show options
set FILNAME /location/on/file/system
run
use reporting/html
show options
set CREATOR Pentester
set COMPANY United Airlines

Summarized References

  • https://null-byte.wonderhowto.com/how-to/hack-like-pro-reconnaissance-with-recon-ng-part-1-getting-started-0169854/
  • http://securenetworkmanagement.com/recon-ng-tutorial-part-1/
  • http://securenetworkmanagement.com/recon-ng-tutorial-part-2/
  • http://securenetworkmanagement.com/recon-ng-tutorial-part-3/

Vanquish

Vanquish is Kali Linux based Enumeration Orchestrator.

| NMap | Hydra | Nikto | Metasploit | | Gobuster | Dirb | Exploitdb | Nbtscan | | Ntpq | Enum4linux | Smbclient | Rpcclient | | Onesixtyone | Sslscan | Sslyze | Snmpwalk | | Ident-user-enum | Smtp-user-enum | Snmp-check | Cisco-torch | | Dnsrecon | Dig | Whatweb | Wafw00f | | Wpscan | Cewl | Curl | Mysql | Nmblookup | Searchsploit | | Nbtscan-unixwiz | Xprobe2 | Blindelephant | Showmount |

LazyRecon

An automated approach to performing recon for bug bounty hunting and penetration testing.

chomp-scan

Streamline the bug bounty/penetration test reconnaissance phase

  • Subdomain Discovery (3 different sized wordlists)
  • dnscan
  • subfinder
  • sublist3r
  • massdns + altdns
  • subjack
  • Screenshots (optional)
  • aquatone
  • Port Scanning (optional)
  • masscan and/or nmap
  • Content Discovery (optional) (4 different sized wordlists)
  • ffuf
  • bfac
  • nikto
  • whatweb
  • Wordlists
  • Subdomain Bruteforcing
    • subdomains-top1mil-20000.txt - 22k words - From Seclists
    • sortedcombined-knock-dnsrecon-fierce-reconng.txt - 102k words - From Seclists
    • huge-200k - 199k words - A combination I made of various wordlists, including Seclists
  • Content Discovery
    • big.txt - 20k words - From Seclists
    • raft-large-combined.txt - 167k words - A combination of the raft wordlists in Seclists
    • seclists-combined.txt - 215k words - A larger combination of all the Discovery/DNS lists in Seclists
    • haddix_content_discovery_all.txt - 373k words - Jason Haddix's all content discovery list
    • haddix-seclists-combined.txt - 486k words - A combination of the two previous lists
  • Misc.

    • altdns-words.txt - 240 words - Used for creating domain permutations for masscan to resolve. Borrowed from altdns.
    • interesting.txt - 42 words - A list I created of potentially interesting words appearing in domain names.
  • GitHub: https://github.com/SolomonSklash/chomp-scan

pown-recon

A powerful target reconnaissance framework powered by graph theory.

  • GitHub: https://github.com/pownjs/pown-recon

Other

  • EyeWitness - take screenshots of websites, provide some server header info, and identify default credentials if possible: https://github.com/FortyNorthSecurity/EyeWitness

References

New References

  • Exploiting Vulnerabilities Through Proper Reconnaissance: https://docs.google.com/presentation/d/1xgvEScGZ_ukNY0rmfKz1JN0sn-CgZY_rTp2B_SZvijk/edit#slide=id.g4052c4692d_0_0
  • Recon My Way: https://github.com/ehsahil/recon-my-way