Information Gathering: Difference between revisions

Passive Reconnaissance[edit | edit source]

Passive techniques involve no direct interaction with the target system. They rely on publicly available data, and are less likely to trigger detection mechanisms.

Hi there,

We run a Youtube growth service, where we can increase your subscriber count safely and practically.

- Gain 700-1500+ real, human subscribers who subscribe because they are interested in your channel/videos. - Safe: All actions are done, without using any automated tasks / bots. - Channel Creation: If you haven't started your YouTube journey yet, we can create a professional channel for you as part of your initial order.

Our price is just $60 (USD) per month and we can start immediately.

Would a free trial be of interest?

Kind regards, Jess

Tools[edit | edit source]

• theHarvester (collects emails, subdomains, hosts, and metadata)
• Recon-ng (web reconnaissance framework)
• SpiderFoot (automated OSINT and reconnaissance tool)
• Maltego (data mining and link analysis)
• FOCA (metadata extraction from documents)
• GitHub Dorking Tools (search for leaked data on GitHub)
• curl (fetches web data and HTTP content for passive analysis)

Websites[edit | edit source]

• archive.org (captures historical snapshots of websites; useful for discovering removed pages, old endpoints, and leaked data)
• who.is (provides WHOIS lookup data including domain ownership, registrar, and DNS information)
• pipl.com (search engine for people; useful for gathering names, emails, usernames, and social profiles)
• Google Admin Toolbox (analyzes email headers to trace delivery path, delays, and authentication status)
• MXToolbox Email Header Analyzer (visualizes full email route and identifies source IPs for investigation)
• Google Cache (view cached versions of websites indexed by Google)
• CachedView (aggregates cached versions from Google, Bing, and Wayback Machine)
• urlscan.io (analyzes and stores scans of websites, including headers, scripts, and requests)
• crt.sh (shows historical SSL/TLS certificates issued for a domain; useful for subdomain discovery)
• publicwww.com (search source code of websites for keywords, scripts, or analytics IDs)

Exposed Devices & Open Feeds[edit | edit source]

• insecam.org (lists publicly accessible IP cameras with default or no credentials)

Active Reconnaissance[edit | edit source]

Active techniques involve sending packets to the target system and observing responses. This can reveal detailed technical data but may trigger logging or alerts.

Common Techniques[edit | edit source]

• Scanning open ports using Nmap or Masscan
• Banner grabbing to identify services
• OS fingerprinting using TCP/IP stack behavior
• DNS zone transfers and brute-forcing with dnsrecon or dnsenum
• Detecting WAFs, proxies, or CDNs
• Enumerating services like SMB, FTP, HTTP, SNMP
• Fuzzing web directories and parameters to discover hidden content
• DNS queries using tools like `dig` and `host`
• Subdomain enumeration with tools such as Amass and Sublist3r

Tools[edit | edit source]

• Nmap (network scanner for port and service discovery)
• Masscan (high-speed port scanner)
• Amass (subdomain enumeration and attack surface mapping)
• dnsenum (DNS enumeration tool)
• dnsmap (brute-force subdomain enumeration tool)
• dnsrecon (DNS reconnaissance tool)
• dig (DNS lookup utility)
• host (DNS lookup utility)
• whatweb (web technology fingerprinting)
• Netcat (network utility for reading/writing data over connections)
• Nikto (web server scanner for vulnerabilities)
• Wappalyzer (detects technologies used on websites)
• ffuf (web fuzzing tool for content discovery)
• Sublist3r (active subdomain enumeration via multiple services)