Passive Recon

Google hacking

Google search to find website sub domains

site:microsoft.com

Google search within webaddress

site:microsoft.com eternalblue

Google filetype, and intitle

intitle:"netbotz appliance" "OK" -filetype:pdf

Google inurl

inurl:"level/15/sexec/-/show" 

Google cached version

cache:microsoft.com

Goolge login pages on sites that use then ending .pt (Portugal)

site:pt inurl:admin.php

Google Hacking Database

https://www.exploit-db.com/google-hacking-database/

People

Social Media

Sherlock

/opt/sherlock/sherlock.py

Google

site:twitter.com companyname
site:linkedin.com companyname
site:facebook.com companyname

Email

Simply Email

# Download
git clone <https://github.com/killswitch-GUI/SimplyEmail.git>
# Usage
./SimplyEmail.py -all -e TARGET-DOMAIN

Find emails in google, bing, pgp, etc

theharvester -d $ip -l -b google

Find emails and employee name with Recon-ng

recon-ng; use module; set DOMAIN $ip; run;
recon/contacts/gather/http/api/whois_pocs

SSL Certificate Testing

https://www.ssllabs.com/ssltest/analyze.html

Netcraft

Determine the operating system and tools used to build a site

https://searchdns.netcraft.com/

Whois

whois [domain-name-here.com](<http://domain-name-here.com/>)

whois $ip

Banner Grabbing

nc -v $ip 25

telnet $ip 25

nc TARGET-IP 80