Information Gathering: Difference between revisions

From HackOps
Jump to navigation Jump to search
← Older edit
VisualWikitext
No edit summary
No edit summary
 
Line 13: Line 13:


=== Tools ===
=== Tools ===
* [[theHarvester]]
* [[theHarvester]] (collects emails, subdomains, hosts, and metadata)
* [[Recon-ng]]
* [[Recon-ng]] (web reconnaissance framework)
* [[SpiderFoot]]
* [[SpiderFoot]] (automated OSINT and reconnaissance tool)
* [[Maltego]]
* [[Maltego]] (data mining and link analysis)
* [[FOCA]] (for metadata extraction)
* [[FOCA]] (metadata extraction from documents)
* [[GitHub Dorking Tools]]
* [[GitHub Dorking Tools]] (search for leaked data on GitHub)
* [[curl]] (fetches web data and HTTP content for passive analysis)


== Active Reconnaissance ==
== Active Reconnaissance ==
Line 31: Line 32:
* Detecting WAFs, proxies, or CDNs
* Detecting WAFs, proxies, or CDNs
* Enumerating services like SMB, FTP, HTTP, SNMP
* Enumerating services like SMB, FTP, HTTP, SNMP
* Fuzzing web directories and parameters to discover hidden content
* DNS queries using tools like `dig` and `host`
* Subdomain enumeration with tools such as [[Amass]] and [[Sublist3r]]


=== Tools ===
=== Tools ===
* [[Nmap]]
* [[Nmap]] (network scanner for port and service discovery)
* [[Masscan]]
* [[Masscan]] (high-speed port scanner)
* [[Amass]]
* [[Amass]] (subdomain enumeration and attack surface mapping)
* [[dnsenum]]
* [[dnsenum]] (DNS enumeration tool)
* [[whatweb]]
* [[dnsrecon]] (DNS reconnaissance tool)
* [[Netcat]]
* [[dig]] (DNS lookup utility)
* [[Nikto]]
* [[host]] (DNS lookup utility)
* [[Wappalyzer]]
* [[whatweb]] (web technology fingerprinting)
 
* [[Netcat]] (network utility for reading/writing data over connections)
== Hybrid / Semi-Passive Techniques ==
* [[Nikto]] (web server scanner for vulnerabilities)
 
* [[Wappalyzer]] (detects technologies used on websites)
Some techniques blur the line between passive and active.
* [[ffuf]] (web fuzzing tool for content discovery)
 
* [[Sublist3r]] (active subdomain enumeration via multiple services)
* Certificate Transparency Log monitoring (e.g. [[crt.sh]])
* Passive DNS databases
* Third-party subdomain enumeration (without DNS queries)
* Crawling public GitHub issues for leaked credentials
* Using APIs to gather external data (e.g. [[SecurityTrails]], [[Shodan API]])
 
== Structuring Your Recon ==
A common workflow combines both passive and active methods:
 
1. **Start passive:** collect domains, emails, tech stack, leaked info 
2. **Enumerate targets:** subdomains, IPs, related infrastructure 
3. **Engage actively:** scan ports, fingerprint services, probe for weaknesses 
4. **Document everything:** maintain structured notes and timestamps

Latest revision as of 23:07, 16 May 2025

Passive Reconnaissance

Passive techniques involve no direct interaction with the target system. They rely on publicly available data, and are less likely to trigger detection mechanisms.

Common Techniques

  • Monitoring public websites and content (company pages, blogs, changelogs)
  • Analyzing social media presence of employees or departments
  • Querying DNS and WHOIS records using tools like whois, dnsdumpster, crt.sh
  • Reviewing pastebin dumps and breach databases
  • Harvesting metadata from exposed documents and images
  • Searching public repositories (GitHub leaks, internal code or config files)
  • Mapping infrastructure using Shodan and Censys

Tools

  • theHarvester (collects emails, subdomains, hosts, and metadata)
  • Recon-ng (web reconnaissance framework)
  • SpiderFoot (automated OSINT and reconnaissance tool)
  • Maltego (data mining and link analysis)
  • FOCA (metadata extraction from documents)
  • GitHub Dorking Tools (search for leaked data on GitHub)
  • curl (fetches web data and HTTP content for passive analysis)

Active Reconnaissance

Active techniques involve sending packets to the target system and observing responses. This can reveal detailed technical data but may trigger logging or alerts.

Common Techniques

  • Scanning open ports using Nmap or Masscan
  • Banner grabbing to identify services
  • OS fingerprinting using TCP/IP stack behavior
  • DNS zone transfers and brute-forcing with dnsrecon or dnsenum
  • Detecting WAFs, proxies, or CDNs
  • Enumerating services like SMB, FTP, HTTP, SNMP
  • Fuzzing web directories and parameters to discover hidden content
  • DNS queries using tools like `dig` and `host`
  • Subdomain enumeration with tools such as Amass and Sublist3r

Tools

  • Nmap (network scanner for port and service discovery)
  • Masscan (high-speed port scanner)
  • Amass (subdomain enumeration and attack surface mapping)
  • dnsenum (DNS enumeration tool)
  • dnsrecon (DNS reconnaissance tool)
  • dig (DNS lookup utility)
  • host (DNS lookup utility)
  • whatweb (web technology fingerprinting)
  • Netcat (network utility for reading/writing data over connections)
  • Nikto (web server scanner for vulnerabilities)
  • Wappalyzer (detects technologies used on websites)
  • ffuf (web fuzzing tool for content discovery)
  • Sublist3r (active subdomain enumeration via multiple services)
Retrieved from "https://hackops.wiki/index.php?title=Information_Gathering&oldid=77"