OSINT & Recon Primer

Other methodologies

External Recon Methodology

Do you use Hacktricks every day ? Did you find the book very ? Would you like to so we can dedicate more time to it and also get access to the Hacktricks private group where you will get the help you need and much more! useful with cybersecurity questions?

book.hacktricks.xyz

Recon methods

Recon Process - Knowledge Base

Ideally you're going to be wanting to choose a program that has a wide scope. You're also going to be wanting to look for a bounty program that has a wider range of vulnerabilities within scope. Mining information about the domains, email servers and social network connections.

mavericknerd.github.io

Web Recon Engagements:

To-Do:

Domain enumeration
Fuzzing methodology

Add:

Custom Scripts

Add quick tool usage:

amass
assetfinder
internetdb
curl API → https://sonar.omnisint.io/subdomains/$DOMAIN

GENERAL ENGAGEMENT

Rules: Understand the scope
Use a cloud env -> Bandwidth: AWS/Digital Ocean

General Setup

INFRA:

Cloud env -> Bandwidth / ISP problems: AWS/DO

DO ~0.35 USD / hr (~$60 mxn / 8hr && ~250USD/Mo) 32GB/8vCPUs/6TB-bandwidth/100GB-SSD

Tools: Dump lists of tools to automate a bash script & Install stuff (apt install & git clone)

Subdomain enumeration

crt.sh -> curl https://crt.sh/?q=target.domain&output=json ó:

curl -s https://crt.sh/\\?q\\=\\%.target.com\\&output\\=json | jq -r '.[].name_value' | sed 's/\*\.//g' | sort -u censys -> Digital Certificates

HAVEN’T TESTED:

webscreenshot
Photon (Subdomain ennum, internal links, keys, etc.)
metasploit
sublist3r
Nahamsec's Lazyrecon
Tib3rius' autorecon
ffuf - codingo tutorial
Nuclei
Recon-ng

DNS Pentesting

DNS Transfer

DNS hacking (beginner to advanced) | Infosec Resources

DNS is a naming system for computers that converts human-readable domain names e.g. (infosecinstitute.com) into computer-readable IP-addresses. However, some security vulnerabilities exist due to misconfigured DNS nameservers that can lead to information disclosure about the domain. This forms an important step of the Information Gathering stage during a penetration test or vulnerability assessment.

resources.infosecinstitute.com

DNS hacking (beginner to advanced) | Infosec Resources

Email Tools

Check DKIM without knowing the DKIM Selector → Check “Detect all selectors”

DKIM Record Checker - DKIM tools | EasyDMARC

The domain owner generates a public/private key pair to be used for signing outgoing messages. Private keys are stored on the email server, while public keys are implemented in the domain's DNS server. Upon sending emails, the server uses the stored private key to generate a digital signature of the message, which will be inserted in the message header.

easydmarc.com

DKIM Record Checker - DKIM tools | EasyDMARC

HOSTS - Enumeration & Port Scanning

‣

Nmap

‣

Threader3000

‣

Shodan (Document this more)

‣

RustScan

‣

Netcat

‣

Masscan

HTTP/S webscreenshot:

Extract IP addresses (1 outfile for every port)

Filter results for port 80, 443, 8080, etc. (Only extract IP addresses that have p. 80 open) > http_ips.txt, https_ips.txt, etc.

Filter for not_http_ips.txt

Run webscreenshot:

Dependencies: sudo apt install phantomjs

xvfb-run webscreenshot --no-xserver --renderer-binary $(which phantomjs) -s -r phantomjs -i https_ips.txt -p 80 -o mytarget_screenshots_80
# -s for SSL, http only fails if this flag is not used

URL Scanners

urlscan.io

urlscan.io - Website scanner for suspicious and malicious URLs

urlscan.io

Web Scanners

Geekflare: Several security testing tools (Wordpress scans, TLS, etc.)

gf.dev

Net tools (Anonymous)

Free online network tools - traceroute, nslookup, dig, whois lookup, ping - IPv6

Check your network path with our simple visual traceroute. Use our icmp ping and traceroute to check your servers. Use our nslookup utility to grab dns records, including mx records. Do global domain searches, look up internic whois records, and query the arin database with our automatic whois lookup.

centralops.net

Web Security Mindmap:

Quick Recons + OSINT

dnslytics.com

Reverse IP lookup

OSINT Recon Tool

This is a tool that helps you to perform online OSINT reconnaissance.

recontool.org

recon.cloud - Manage Your Attack Surface

recon.cloud

Cloud Recon (Good)

GitHub - initstring/cloud_enum: Multi-cloud OSINT tool. Enumerate public resources in AWS, Azure, and Google Cloud.

Multi-cloud OSINT tool. Enumerate public resources in AWS, Azure, and Google Cloud. Currently enumerates the following: Amazon Web Services: Open / Protected S3 Buckets awsapps (WorkMail, WorkDocs, Connect, etc.)

github.com

GitHub - initstring/cloud_enum: Multi-cloud OSINT tool. Enumerate public resources in AWS, Azure, and Google Cloud.

🔥🔥🔥🔥🔥

FullHunt | Expose Your Attack Surface

FullHunt is the attack surface database of the entire Internet. FullHunt enables companies to discover all of their attack surfaces, monitor them for exposure, and continuously scan them for the latest security vulnerabilities. All, in a single platform, and more.

fullhunt.io

Shodan alt - Check API python

spyse.com

Domain, org, IP, AS, etc. fingerprinting - Check Python API API python🔗

Google Hacking - Free Google Dorks for Recon

Every penetration test should start with a passive reconnaissance phase. Since public search engines have gathered huge amounts of information about almost every website from the Internet, it is a good idea to make some queries and get this information from them. Very often you will find sensitive information or data that is not supposed to be public.

pentest-tools.com

Google Hacking - Free Google Dorks for Recon

Auto - Google Dorking

Investigator

The Recon tool- Tool that will make the first phase of hacking simple. Reconaissance tool that can be used for penetration testing, bug bounty.

abhijithb200.github.io

Auto scraping, auto Dorking,

Threat Intelligence Platform (TIP) | Integrate #1 Cyber Threat Intel APIs

Threat Intelligence Platform combines several threat intelligence sources to provide in-depth insights on threat hosts and attack infrastructure. Correlating threat information from various feeds with our exhaustive in-house databases, a result of 10+ years of data crawling, the platform performs real-time host configuration analyses to come up with actionable threat intelligence that is vital in detection, mitigation, and remediation.

threatintelligenceplatform.com

Threat Intelligence Platform (TIP) | Integrate #1 Cyber Threat Intel APIs

Quick Recon

Threat Crowd | Threatcrowd.org Open Source Threat Intelligence

www.threatcrowd.org

📍 Central Recon

Host: 104.22.36.154

Note: if you are new to ThreatMiner, check out the how-to page to find out how you can get the most out of this portal. Reports, passive DNS (pDNS) records, Uniform Resource Locators (URLs) and malware samples associated with 104.22.36.154. Geolocation Map of the location associated with 104.22.36.154.

www.threatminer.org

Another central | OTX, etc. + Security Trails

dnsdumpster.com

DNS DUMPSTER

viewdns.info

DNS Recon (GOOD) → toolset

Threat Intelligence - Pulsedive

View ports, protocols, web technologies, WHOIS, DNS, HTTP headers, meta tags, region, malware, threats, feeds, and other threat intelligence for free.

pulsedive.com

Haven't tested it

ImmuniWeb® - Web and Mobile Security Testing, Application Penetration Testing, Security Ratings

"ImmuniWeb disrupts traditional application security testing by delivering web and mobile application testing augmented with proprietary machine-learning technology and human testing." "ImmuniWeb has woven together machine learning with its own expert testers to confidently offer unique zero false positive SLA."

www.immuniweb.com

ImmuniWeb® - Web and Mobile Security Testing, Application Penetration Testing, Security Ratings

SSL TEST (Seems better than Qualys & sslscan)

WAF Bypassing & Info

Cloudflair:

git clone https://github.com/christophetd/cloudflair.git
cd cloudflair
python3 -m venv venv
source venv/bin/activate
pip install -r requirements.txt

export CENSYS_API_ID=...
export CENSYS_API_SECRET=...
python cloudflair.py myvulnerable.site

Uncovering CloudFlare

Checklist - Local Windows Privilege Escalation

book.hacktricks.xyz

2021: crimeflare ya no existe

General Recon & Commands

lazyrecon.sh -d domain.mx

Using OWASP amass:

amass enum -d domain.org | tee domain.com.amassenum # Outfile

Parsing results

#!/bin/bash
# Input: amass enum results
# get output file from amass domain:ip and other results and only look for domains/subdomains, then probe for 
# response and write a new file
# (The output of amass is > domain ip,ip,ip)
#
# Note: This could be also useful for any input file containing domains/subdomains
#
DOMAIN=$1 # example.com
AMASS_FILE=$DOMAIN.amassenum # amass_outfile.txt (I normally use the format domain.com.amassenum for organization)
# Automatically enumerate with amass
amass enum -d $DOMAIN | tee $AMASS_FILE
#
cat $AMASS_FILE | grep $DOMAIN | awk '{print $1}' | httprobe | tee $AMASS_FILE.httprobed
# Then:
# (Clean http/https probes and sort results)
echo "------------------------------------------------"
cat $AMASS_FILE.httprobed | sed 's/http.*:\/\///g' | sort | uniq | tee $DOMAIN.amassenum.hosts

# TO-DO: Automate this and use only 1 output file instead of writing a file and reading it agan, 
# then writing another one. 
# But *.httprobed could be useful to see what methods the hosts accept

Using the Harvester

# Extract results from the Harvester, clean up http/https://, do an automatic nslookup
theHarvester -d domain.mx -b otx | httprobe | sed 's/.*:\/\///' | nslookup | grep 'name =' | awk '{print $NF}'

Curate theHarvester results

Recon-ng

Like MSFConsole,uses plugins

theHarvester -d domain.co -l 500 -b otx

arjun -u api-endpoint.example.com

Bruteforce HTTP methods

Subdomain-takeover

A Guide To Subdomain Takeovers

HackerOne's Hacktivity feed - a curated feed of publicly-disclosed reports - has seen its fair share of subdomain takeover reports. Since Detectify's fantastic series on subdomain takeovers, the bug bounty industry has seen a rapid influx of reports concerning this type of issue.

www.hackerone.com

The Bug Hunter's Methodology Full 2-hour Training by Jason Haddix

The Bug Hunter's Methodology Full 2-hour Training by Jason HaddixTwitter: https://twitter.com/redteamvillage_Discord: https://discord.gg/redteamvillageWebsit...

www.youtube.com

The Bug Hunter's Methodology Full 2-hour Training by Jason Haddix

~1:30 nuclei templates for subdomain takeover

GitHub - EdOverflow/can-i-take-over-xyz: "Can I take over XYZ?" - a list of services and how to claim (sub)domains with dangling DNS records.

"Can I take over XYZ?" - a list of services and how to claim (sub)domains with dangling DNS records. - GitHub - EdOverflow/can-i-take-over-xyz: "Can I take over XYZ?" - a list of services and how to claim (sub)domains with dangling DNS records.

github.com

GitHub - EdOverflow/can-i-take-over-xyz: "Can I take over XYZ?" - a list of services and how to claim (sub)domains with dangling DNS records.

Intrigue Core + Amazon Elastic Search & Kibana (Old; intrigue is now unmaintained ~2021)

Scaling up - Automated Attack Surface Discovery With Intrigue Core by @jcran #NahamCon2020

Live Every Tuesday, Saturday and Sunday on Twitch:https://twitch.tv/nahamsecSlides:https://core.intrigue.io/Follow me on social media:https://twitter.com/nah...

www.youtube.com

Scaling up - Automated Attack Surface Discovery With Intrigue Core by @jcran #NahamCon2020

docker installling for specific plugins, or complete docker installation 👍