Information Gathering
Passive Reconnaissance[edit | edit source]
Passive techniques involve no direct interaction with the target system. They rely on publicly available data, and are less likely to trigger detection mechanisms.
Hi there,
We run a Youtube growth service, where we can increase your subscriber count safely and practically.
- Gain 700-1500+ real, human subscribers who subscribe because they are interested in your channel/videos. - Safe: All actions are done, without using any automated tasks / bots. - Channel Creation: If you haven't started your YouTube journey yet, we can create a professional channel for you as part of your initial order.
Our price is just $60 (USD) per month and we can start immediately.
Would a free trial be of interest?
Kind regards, Jess
Tools[edit | edit source]
- theHarvester (collects emails, subdomains, hosts, and metadata)
- Recon-ng (web reconnaissance framework)
- SpiderFoot (automated OSINT and reconnaissance tool)
- Maltego (data mining and link analysis)
- FOCA (metadata extraction from documents)
- GitHub Dorking Tools (search for leaked data on GitHub)
- curl (fetches web data and HTTP content for passive analysis)
Websites[edit | edit source]
- archive.org (captures historical snapshots of websites; useful for discovering removed pages, old endpoints, and leaked data)
- who.is (provides WHOIS lookup data including domain ownership, registrar, and DNS information)
- pipl.com (search engine for people; useful for gathering names, emails, usernames, and social profiles)
- Google Admin Toolbox (analyzes email headers to trace delivery path, delays, and authentication status)
- MXToolbox Email Header Analyzer (visualizes full email route and identifies source IPs for investigation)
- Google Cache (view cached versions of websites indexed by Google)
- CachedView (aggregates cached versions from Google, Bing, and Wayback Machine)
- urlscan.io (analyzes and stores scans of websites, including headers, scripts, and requests)
- crt.sh (shows historical SSL/TLS certificates issued for a domain; useful for subdomain discovery)
- publicwww.com (search source code of websites for keywords, scripts, or analytics IDs)
Exposed Devices & Open Feeds[edit | edit source]
- insecam.org (lists publicly accessible IP cameras with default or no credentials)
Active Reconnaissance[edit | edit source]
Active techniques involve sending packets to the target system and observing responses. This can reveal detailed technical data but may trigger logging or alerts.
Common Techniques[edit | edit source]
- Scanning open ports using Nmap or Masscan
- Banner grabbing to identify services
- OS fingerprinting using TCP/IP stack behavior
- DNS zone transfers and brute-forcing with dnsrecon or dnsenum
- Detecting WAFs, proxies, or CDNs
- Enumerating services like SMB, FTP, HTTP, SNMP
- Fuzzing web directories and parameters to discover hidden content
- DNS queries using tools like `dig` and `host`
- Subdomain enumeration with tools such as Amass and Sublist3r
Tools[edit | edit source]
- Nmap (network scanner for port and service discovery)
- Masscan (high-speed port scanner)
- Amass (subdomain enumeration and attack surface mapping)
- dnsenum (DNS enumeration tool)
- dnsmap (brute-force subdomain enumeration tool)
- dnsrecon (DNS reconnaissance tool)
- dig (DNS lookup utility)
- host (DNS lookup utility)
- whatweb (web technology fingerprinting)
- Netcat (network utility for reading/writing data over connections)
- Nikto (web server scanner for vulnerabilities)
- Wappalyzer (detects technologies used on websites)
- ffuf (web fuzzing tool for content discovery)
- Sublist3r (active subdomain enumeration via multiple services)