Infrastructure

Techniques

  • Enumerate site data, workflows, and 3rd parties

  • Google Dork for pdfs and other files, ex: site:some.com filetype:pdf

  • Grab subdomains, params, internal linking

  • linkedin/social media

  • DUNS and CAGE or NCAGE codes are helpful for finding info on global businesses. https://www.sam.gov/SAM/ search the business. Depending on what they do they may show up here and they may be in other public databases.

  • https://www.sec.gov/edgar.shtml by finding mergers, acquisitions, partnerships, third-parties you can start building an idea of what technologies and infrastructure they might have. This can be handy both later in pentesting but also social engineering.

  • job postings and job boards (teams, hierarchy, projects, tools) linkedin/indeed/monster/careerbuilder/glassdoor/simplyhired/dice

  • crunchbase is a wiki for business. Anyone can edit it. Inc.com can show company resource/finance information

  • foca [https://www.elevenpaths.com/innovation-labs/tools/foca] will google dork scan for files and download them for you and will also extract file metadata to try to find information in that.

  • theharvester this tool uses popular search engines to gather users, domains, hosts, and emails. theharvester -d some.com -l 100 -b google

    // -d target -l limit results -b search engine (bing, linkedin, etc) Its best to mix the platform to get full results since some provide more info than others like Lin will give you good user lists.

  • archive.org lets you view versions of a site that have been cached and you can go all the way back to 2004

Whois:

Can be done cli or webgui. Uses whois protocol (port43) to query domain ownership, get some IPs and contact info. #whois google.com or >whois.exe google.com Web gui: whois.domaintools.com

NetCraft:

https://searchdns.netcraft.com Get visible subdomains. For each server you can get:

  • OS

  • Web server version

  • Up-time graph

  • Server history

  • Send email as dmarc/dikm/stl

DNSDumpster

Web GUI:

Will discover hosts related to a domain and will print out its records.(non intrusive/passive osint) example for hackthebox.eu:

Maltego:

Searches thousands of data sources and can transform data found in one location to add to queries in another location. For example, you can enter an email to transform it into phone/address/etc then search again for matches to those data points.

PreviousOSINTNextRecon-ng

Last updated