🍩
HackBook.io
  • Pentesting Pocket Book for hackers and developers.
  • Reconnaissance
    • Internal Recon Basics
    • OSINT
      • Infrastructure
      • Recon-ng
      • Users
      • Google Dorks
    • Active Scanning
      • NMAP
        • NSE
          • reconnoitre
        • NMap Evasion
      • NC Scan
      • Finger Printing
    • Web Server OSINT
      • WhatWeb
      • Subdomains
      • Directory & File Enumeration
        • Enumeration
          • GoCutty
          • gobuster
          • Dirb
          • nikto
        • Fuzzing
        • Crawling
  • Web Application Hacking
    • Web 101
      • Clients
      • Servers
      • Encodings
    • Web Hacking Techniques
      • SOP
      • Open Redirect
      • File & Resource Attacks
        • Directory Traversal
          • Dir Traversal Fuzzer
        • LFI
        • RFI
        • Unrestricted File Uploads
      • XSS
        • DOM
        • Stored
        • Reflected
        • Blind
        • Self XSS
      • XXE
        • XXE Payloads
      • XPath
      • SSRF
      • CSRF
      • SQLi
        • SQL Basics
        • Securing SQL
        • Hacking SQL
          • sqlmap
          • In-Band
          • Error Based
          • Blind
      • Authorization
      • Session Hijacking
      • Command Injection
      • Insecure Deserialization
      • File Uploads
        • File Upload Mitigations
      • HPP
      • Click Jacking
        • Adobe SWF Investigator
      • HTTP Response Splitting
      • Flash 101
        • Flash Hacking
      • HTML5
        • WebSockets
        • CORS
          • iframe
          • Headers
    • Web Hacking Procedures
      • Captcha
      • Username Generation
      • Username Enumeration
      • Inhouse WebApps
      • SSL Cert Generation
      • CMS
        • WordPress
        • Joomla
      • Popular Exploits
        • Bludit CMS
        • ShellShock
        • WebDav
  • Weaponization
    • Buffer Overflows (BOF)
      • DSBOFG
        • Scripts
  • Initial Access
    • 😈Services
      • Finger
      • SNMP
      • LDAP
      • SMTP
      • NFS
      • RPC
        • RPCBind
      • RDP
      • SQL
        • NoSQL
      • POP3
      • Samba
      • SMB
      • SSH
      • Telnet
      • NetBios
      • VOIP/SIP
      • DNS
        • DNS Lookups
        • Zone Transfer
        • SubDomain Enums
        • dnsdumpster
    • 😈Shells
      • Powercat
      • Odd Shells
      • Troubleshoot
      • TTY/PTTY
  • Persistence
    • File Transfers
      • Py->Exe->Txt
      • Cross compile example
    • Backdoors
  • Privilege Escalation
    • Universal Escalation
    • Windows Escalation
      • Automated
      • Popular Exploits
        • ActiveXObject to Wscript RCE
        • Macros
        • Object Linking
    • Linux Escalation
      • Automated
    • Passwords
      • John
      • Medusa
      • Cewl
      • ncrack
      • Crunch
      • Hydra
      • MITM
      • Responder
        • SAM
          • pwdump and fgdump
          • Pass-the-hash
      • Crack the hash
      • NTLM
  • Network Discovery
    • Network Traffic
      • tcpdump
    • Internal Discovery
  • Collection and Staging
    • Collection
      • File types
  • Hacking Objectives
    • Non Kinetic War (Quick Guide)
  • Procedures
    • Bash Guide
    • Active Directory
    • Crypto 101
    • Forensics
  • Glossary
  • Hacking Frameworks
    • Metasploit
      • msfvenom
    • Dsnif
  • ThreatModeling
    • Threat Modeling Overview
  • Certifications
    • VMDR
      • Qualys Asset Management
      • Qualys Vulnerability Management
      • Qualys Threat Prioritization
      • Qualys Response (Patch Deployment)
    • OSCP Cheat Sheet
  • RF - Radio Frequency
    • Ham Technician
Powered by GitBook
On this page
  • Techniques
  • Whois:
  • NetCraft:
  • DNSDumpster
  • Maltego:

Was this helpful?

  1. Reconnaissance
  2. OSINT

Infrastructure

PreviousOSINTNextRecon-ng

Last updated 3 years ago

Was this helpful?

Techniques

  • Enumerate site data, workflows, and 3rd parties

  • Google Dork for pdfs and other files, ex: site:some.com filetype:pdf

  • Grab subdomains, params, internal linking

  • linkedin/social media

  • DUNS and CAGE or NCAGE codes are helpful for finding info on global businesses. https://www.sam.gov/SAM/ search the business. Depending on what they do they may show up here and they may be in other public databases.

  • https://www.sec.gov/edgar.shtml by finding mergers, acquisitions, partnerships, third-parties you can start building an idea of what technologies and infrastructure they might have. This can be handy both later in pentesting but also social engineering.

  • job postings and job boards (teams, hierarchy, projects, tools) linkedin/indeed/monster/careerbuilder/glassdoor/simplyhired/dice

  • crunchbase is a wiki for business. Anyone can edit it. Inc.com can show company resource/finance information

  • foca [https://www.elevenpaths.com/innovation-labs/tools/foca] will google dork scan for files and download them for you and will also extract file metadata to try to find information in that.

  • theharvester this tool uses popular search engines to gather users, domains, hosts, and emails. theharvester -d some.com -l 100 -b google

    // -d target -l limit results -b search engine (bing, linkedin, etc) Its best to mix the platform to get full results since some provide more info than others like Lin will give you good user lists.

  • archive.org lets you view versions of a site that have been cached and you can go all the way back to 2004

Whois:

Can be done cli or webgui. Uses whois protocol (port43) to query domain ownership, get some IPs and contact info. #whois google.com or >whois.exe google.com Web gui:

NetCraft:

  • OS

  • Web server version

  • Up-time graph

  • Server history

  • Send email as dmarc/dikm/stl

DNSDumpster

Web GUI:

Will discover hosts related to a domain and will print out its records.(non intrusive/passive osint) example for hackthebox.eu:

Maltego:

Searches thousands of data sources and can transform data found in one location to add to queries in another location. For example, you can enter an email to transform it into phone/address/etc then search again for matches to those data points.

Get visible subdomains. For each server you can get:

whois.domaintools.com
https://searchdns.netcraft.com
DNS Servers
Name Server Records
Record Maps
Homepage
Logo
DNSdumpster.com - dns recon and research, find and lookup dns records
Logo