Passive Recon

Google hacking

Google search to find website sub domains

site:microsoft.com

Google search within webaddress

site:microsoft.com eternalblue

Google filetype, and intitle

intitle:"netbotz appliance" "OK" -filetype:pdf

Google inurl

inurl:"level/15/sexec/-/show"

Google cached version

cache:microsoft.com

Goolge login pages on sites that use then ending .pt (Portugal)

site:pt inurl:admin.php

Google Hacking Database

https://www.exploit-db.com/google-hacking-database/

People

Social Media

Sherlock

/opt/sherlock/sherlock.py

Google

site:twitter.com companyname
site:linkedin.com companyname
site:facebook.com companyname

Email

Simply Email

# Download
git clone <https://github.com/killswitch-GUI/SimplyEmail.git>
# Usage
./SimplyEmail.py -all -e TARGET-DOMAIN

Find emails in google, bing, pgp, etc

theharvester -d $ip -l -b google

Find emails and employee name with Recon-ng

recon-ng; use module; set DOMAIN $ip; run;
recon/contacts/gather/http/api/whois_pocs

SSL Certificate Testing

https://www.ssllabs.com/ssltest/analyze.html

Netcraft

Determine the operating system and tools used to build a site

https://searchdns.netcraft.com/

Whois

whois [domain-name-here.com](<http://domain-name-here.com/>)
whois $ip
nc -v $ip 25
telnet $ip 25
nc TARGET-IP 80
PreviousInformation GatheringNextActive Recon

Last updated

Was this helpful?