Information Gathering: Difference between revisions

From HackOps
Jump to navigation Jump to search
← Older edit
VisualWikitext
No edit summary
 
(6 intermediate revisions by one other user not shown)
Line 3: Line 3:
Passive techniques involve no direct interaction with the target system. They rely on publicly available data, and are less likely to trigger detection mechanisms.
Passive techniques involve no direct interaction with the target system. They rely on publicly available data, and are less likely to trigger detection mechanisms.


=== Common Techniques ===
Hi there,
* Monitoring public websites and content (company pages, blogs, changelogs)
 
* Analyzing social media presence of employees or departments
We run a Youtube growth service, where we can increase your subscriber count safely and practically.
* Querying DNS and WHOIS records using tools like [[whois]], [[dnsdumpster]], [[crt.sh]]
 
* Reviewing pastebin dumps and breach databases
- Gain 700-1500+ real, human subscribers who subscribe because they are interested in your channel/videos.
* Harvesting metadata from exposed documents and images
- Safe: All actions are done, without using any automated tasks / bots.
* Searching public repositories (GitHub leaks, internal code or config files)
- Channel Creation: If you haven't started your YouTube journey yet, we can create a professional channel for you as part of your initial order.
* Mapping infrastructure using [[Shodan]] and [[Censys]]
 
Our price is just $60 (USD) per month and we can start immediately.
 
Would a free trial be of interest?
 
Kind regards,
Jess


=== Tools ===
=== Tools ===
Line 24: Line 30:


* [https://archive.org archive.org] (captures historical snapshots of websites; useful for discovering removed pages, old endpoints, and leaked data)
* [https://archive.org archive.org] (captures historical snapshots of websites; useful for discovering removed pages, old endpoints, and leaked data)
* [https://who.is who.is] (provides WHOIS lookup data including domain ownership, registrar, and DNS information)
* [https://pipl.com pipl.com] (search engine for people; useful for gathering names, emails, usernames, and social profiles)
* [https://toolbox.googleapps.com/apps/messageheader/ Google Admin Toolbox] (analyzes email headers to trace delivery path, delays, and authentication status)
* [https://mxtoolbox.com/EmailHeaders.aspx MXToolbox Email Header Analyzer] (visualizes full email route and identifies source IPs for investigation)
* [https://webcache.googleusercontent.com Google Cache] (view cached versions of websites indexed by Google)
* [https://webcache.googleusercontent.com Google Cache] (view cached versions of websites indexed by Google)
* [https://cachedview.com CachedView] (aggregates cached versions from Google, Bing, and Wayback Machine)
* [https://cachedview.com CachedView] (aggregates cached versions from Google, Bing, and Wayback Machine)
Line 29: Line 39:
* [https://crt.sh crt.sh] (shows historical SSL/TLS certificates issued for a domain; useful for subdomain discovery)
* [https://crt.sh crt.sh] (shows historical SSL/TLS certificates issued for a domain; useful for subdomain discovery)
* [https://publicwww.com publicwww.com] (search source code of websites for keywords, scripts, or analytics IDs)
* [https://publicwww.com publicwww.com] (search source code of websites for keywords, scripts, or analytics IDs)
=== Exposed Devices & Open Feeds ===
* [http://www.insecam.org insecam.org] (lists publicly accessible IP cameras with default or no credentials)




Line 51: Line 65:
* [[Amass]] (subdomain enumeration and attack surface mapping)
* [[Amass]] (subdomain enumeration and attack surface mapping)
* [[dnsenum]] (DNS enumeration tool)
* [[dnsenum]] (DNS enumeration tool)
* [[dnsmap]] (brute-force subdomain enumeration tool)
* [[dnsrecon]] (DNS reconnaissance tool)
* [[dnsrecon]] (DNS reconnaissance tool)
* [[dig]] (DNS lookup utility)
* [[dig]] (DNS lookup utility)

Latest revision as of 04:24, 3 June 2025

Passive Reconnaissance[edit | edit source]

Passive techniques involve no direct interaction with the target system. They rely on publicly available data, and are less likely to trigger detection mechanisms.

Hi there,

We run a Youtube growth service, where we can increase your subscriber count safely and practically.

- Gain 700-1500+ real, human subscribers who subscribe because they are interested in your channel/videos. - Safe: All actions are done, without using any automated tasks / bots. - Channel Creation: If you haven't started your YouTube journey yet, we can create a professional channel for you as part of your initial order.

Our price is just $60 (USD) per month and we can start immediately.

Would a free trial be of interest?

Kind regards, Jess

Tools[edit | edit source]

  • theHarvester (collects emails, subdomains, hosts, and metadata)
  • Recon-ng (web reconnaissance framework)
  • SpiderFoot (automated OSINT and reconnaissance tool)
  • Maltego (data mining and link analysis)
  • FOCA (metadata extraction from documents)
  • GitHub Dorking Tools (search for leaked data on GitHub)
  • curl (fetches web data and HTTP content for passive analysis)

Websites[edit | edit source]

  • archive.org (captures historical snapshots of websites; useful for discovering removed pages, old endpoints, and leaked data)
  • who.is (provides WHOIS lookup data including domain ownership, registrar, and DNS information)
  • pipl.com (search engine for people; useful for gathering names, emails, usernames, and social profiles)
  • Google Admin Toolbox (analyzes email headers to trace delivery path, delays, and authentication status)
  • MXToolbox Email Header Analyzer (visualizes full email route and identifies source IPs for investigation)
  • Google Cache (view cached versions of websites indexed by Google)
  • CachedView (aggregates cached versions from Google, Bing, and Wayback Machine)
  • urlscan.io (analyzes and stores scans of websites, including headers, scripts, and requests)
  • crt.sh (shows historical SSL/TLS certificates issued for a domain; useful for subdomain discovery)
  • publicwww.com (search source code of websites for keywords, scripts, or analytics IDs)

Exposed Devices & Open Feeds[edit | edit source]

  • insecam.org (lists publicly accessible IP cameras with default or no credentials)


Active Reconnaissance[edit | edit source]

Active techniques involve sending packets to the target system and observing responses. This can reveal detailed technical data but may trigger logging or alerts.

Common Techniques[edit | edit source]

  • Scanning open ports using Nmap or Masscan
  • Banner grabbing to identify services
  • OS fingerprinting using TCP/IP stack behavior
  • DNS zone transfers and brute-forcing with dnsrecon or dnsenum
  • Detecting WAFs, proxies, or CDNs
  • Enumerating services like SMB, FTP, HTTP, SNMP
  • Fuzzing web directories and parameters to discover hidden content
  • DNS queries using tools like `dig` and `host`
  • Subdomain enumeration with tools such as Amass and Sublist3r

Tools[edit | edit source]

  • Nmap (network scanner for port and service discovery)
  • Masscan (high-speed port scanner)
  • Amass (subdomain enumeration and attack surface mapping)
  • dnsenum (DNS enumeration tool)
  • dnsmap (brute-force subdomain enumeration tool)
  • dnsrecon (DNS reconnaissance tool)
  • dig (DNS lookup utility)
  • host (DNS lookup utility)
  • whatweb (web technology fingerprinting)
  • Netcat (network utility for reading/writing data over connections)
  • Nikto (web server scanner for vulnerabilities)
  • Wappalyzer (detects technologies used on websites)
  • ffuf (web fuzzing tool for content discovery)
  • Sublist3r (active subdomain enumeration via multiple services)
Retrieved from "https://hackops.wiki/index.php?title=Information_Gathering&oldid=164"