Editing Information Gathering

== Passive Reconnaissance ==

Passive techniques involve no direct interaction with the target system. They rely on publicly available data, and are less likely to trigger detection mechanisms.

Hi there,

We run a Youtube growth service, where we can increase your subscriber count safely and practically. 

- Gain 700-1500+ real, human subscribers who subscribe because they are interested in your channel/videos. 
- Safe: All actions are done, without using any automated tasks / bots.
- Channel Creation: If you haven't started your YouTube journey yet, we can create a professional channel for you as part of your initial order.

Our price is just $60 (USD) per month and we can start immediately.

Would a free trial be of interest?

Kind regards,
Jess

=== Tools ===
* [[theHarvester]] (collects emails, subdomains, hosts, and metadata)
* [[Recon-ng]] (web reconnaissance framework)
* [[SpiderFoot]] (automated OSINT and reconnaissance tool)
* [[Maltego]] (data mining and link analysis)
* [[FOCA]] (metadata extraction from documents)
* [[GitHub Dorking Tools]] (search for leaked data on GitHub)
* [[curl]] (fetches web data and HTTP content for passive analysis)

=== Websites ===

* [https://archive.org archive.org] (captures historical snapshots of websites; useful for discovering removed pages, old endpoints, and leaked data)
* [https://who.is who.is] (provides WHOIS lookup data including domain ownership, registrar, and DNS information)
* [https://pipl.com pipl.com] (search engine for people; useful for gathering names, emails, usernames, and social profiles)
* [https://toolbox.googleapps.com/apps/messageheader/ Google Admin Toolbox] (analyzes email headers to trace delivery path, delays, and authentication status)
* [https://mxtoolbox.com/EmailHeaders.aspx MXToolbox Email Header Analyzer] (visualizes full email route and identifies source IPs for investigation)
* [https://webcache.googleusercontent.com Google Cache] (view cached versions of websites indexed by Google)
* [https://cachedview.com CachedView] (aggregates cached versions from Google, Bing, and Wayback Machine)
* [https://urlscan.io urlscan.io] (analyzes and stores scans of websites, including headers, scripts, and requests)
* [https://crt.sh crt.sh] (shows historical SSL/TLS certificates issued for a domain; useful for subdomain discovery)
* [https://publicwww.com publicwww.com] (search source code of websites for keywords, scripts, or analytics IDs)

=== Exposed Devices & Open Feeds ===

* [http://www.insecam.org insecam.org] (lists publicly accessible IP cameras with default or no credentials)


== Active Reconnaissance ==

Active techniques involve sending packets to the target system and observing responses. This can reveal detailed technical data but may trigger logging or alerts.

=== Common Techniques ===
* Scanning open ports using [[Nmap]] or [[Masscan]]
* Banner grabbing to identify services
* OS fingerprinting using TCP/IP stack behavior
* DNS zone transfers and brute-forcing with [[dnsrecon]] or [[dnsenum]]
* Detecting WAFs, proxies, or CDNs
* Enumerating services like SMB, FTP, HTTP, SNMP
* Fuzzing web directories and parameters to discover hidden content
* DNS queries using tools like `dig` and `host`
* Subdomain enumeration with tools such as [[Amass]] and [[Sublist3r]]

=== Tools ===
* [[Nmap]] (network scanner for port and service discovery)
* [[Masscan]] (high-speed port scanner)
* [[Amass]] (subdomain enumeration and attack surface mapping)
* [[dnsenum]] (DNS enumeration tool)
* [[dnsmap]] (brute-force subdomain enumeration tool)
* [[dnsrecon]] (DNS reconnaissance tool)
* [[dig]] (DNS lookup utility)
* [[host]] (DNS lookup utility)
* [[whatweb]] (web technology fingerprinting)
* [[Netcat]] (network utility for reading/writing data over connections)
* [[Nikto]] (web server scanner for vulnerabilities)
* [[Wappalyzer]] (detects technologies used on websites)
* [[ffuf]] (web fuzzing tool for content discovery)
* [[Sublist3r]] (active subdomain enumeration via multiple services)