Information Gathering

From HackOps
Jump to navigation Jump to search

Passive Reconnaissance[edit | edit source]

Passive techniques involve no direct interaction with the target system. They rely on publicly available data, and are less likely to trigger detection mechanisms.

Hi there,

We run a Youtube growth service, where we can increase your subscriber count safely and practically.

- Gain 700-1500+ real, human subscribers who subscribe because they are interested in your channel/videos. - Safe: All actions are done, without using any automated tasks / bots. - Channel Creation: If you haven't started your YouTube journey yet, we can create a professional channel for you as part of your initial order.

Our price is just $60 (USD) per month and we can start immediately.

Would a free trial be of interest?

Kind regards, Jess

Tools[edit | edit source]

  • theHarvester (collects emails, subdomains, hosts, and metadata)
  • Recon-ng (web reconnaissance framework)
  • SpiderFoot (automated OSINT and reconnaissance tool)
  • Maltego (data mining and link analysis)
  • FOCA (metadata extraction from documents)
  • GitHub Dorking Tools (search for leaked data on GitHub)
  • curl (fetches web data and HTTP content for passive analysis)

Websites[edit | edit source]

  • archive.org (captures historical snapshots of websites; useful for discovering removed pages, old endpoints, and leaked data)
  • who.is (provides WHOIS lookup data including domain ownership, registrar, and DNS information)
  • pipl.com (search engine for people; useful for gathering names, emails, usernames, and social profiles)
  • Google Admin Toolbox (analyzes email headers to trace delivery path, delays, and authentication status)
  • MXToolbox Email Header Analyzer (visualizes full email route and identifies source IPs for investigation)
  • Google Cache (view cached versions of websites indexed by Google)
  • CachedView (aggregates cached versions from Google, Bing, and Wayback Machine)
  • urlscan.io (analyzes and stores scans of websites, including headers, scripts, and requests)
  • crt.sh (shows historical SSL/TLS certificates issued for a domain; useful for subdomain discovery)
  • publicwww.com (search source code of websites for keywords, scripts, or analytics IDs)

Exposed Devices & Open Feeds[edit | edit source]

  • insecam.org (lists publicly accessible IP cameras with default or no credentials)


Active Reconnaissance[edit | edit source]

Active techniques involve sending packets to the target system and observing responses. This can reveal detailed technical data but may trigger logging or alerts.

Common Techniques[edit | edit source]

  • Scanning open ports using Nmap or Masscan
  • Banner grabbing to identify services
  • OS fingerprinting using TCP/IP stack behavior
  • DNS zone transfers and brute-forcing with dnsrecon or dnsenum
  • Detecting WAFs, proxies, or CDNs
  • Enumerating services like SMB, FTP, HTTP, SNMP
  • Fuzzing web directories and parameters to discover hidden content
  • DNS queries using tools like `dig` and `host`
  • Subdomain enumeration with tools such as Amass and Sublist3r

Tools[edit | edit source]

  • Nmap (network scanner for port and service discovery)
  • Masscan (high-speed port scanner)
  • Amass (subdomain enumeration and attack surface mapping)
  • dnsenum (DNS enumeration tool)
  • dnsmap (brute-force subdomain enumeration tool)
  • dnsrecon (DNS reconnaissance tool)
  • dig (DNS lookup utility)
  • host (DNS lookup utility)
  • whatweb (web technology fingerprinting)
  • Netcat (network utility for reading/writing data over connections)
  • Nikto (web server scanner for vulnerabilities)
  • Wappalyzer (detects technologies used on websites)
  • ffuf (web fuzzing tool for content discovery)
  • Sublist3r (active subdomain enumeration via multiple services)