OSINT
Asset Discovery & Reconnaissance
Techniques
- Scrap Stackoverflow posts for secerets: Stack Exchange Data Dump Baking Flask cookies with your secrets
- Search the internet: Google, Shodan, GitHub, APIs.Guru and ProgrammableWeb
- Google Dorking Google Hacking Database (GHDB) - Google Dorks, OSINT, Recon (exploit-db.com)
- Search GitHub:
- API Keys
- Pull Requests
- Issues
- Fingerprint TLS using JARM
- Identify Domains registered by a person
- Reverse Whois Lookups with Google
- Perform Reverse IP Lookups
- Reverse Google AdSense Lookups
- Reverse Google Analytics Lookups
- Reverse Google tag lookup
WebApps
- OSINT.SH - All in one Information Gathering Tools
- Search for a list of websites by content inside their HTML such as: google tag ID, ad sense ID, etc. - NerdyData
- DNSdumpster.com - dns recon and research, find and lookup dns records
Tools
- six2dez/reconftw: reconFTW is a tool designed to perform automated recon on a target domain
- yogeshojha/rengine: reNgine is an automated reconnaissance framework for web applications
- OWASP/Amass: In-depth Attack Surface Mapping and Asset Discovery (github.com)
- darkoperator/dnsrecon: DNS Enumeration Script (github.com)
- pry0cc/axiom:Distribute the workload of many different scanning tools with ease, including nmap, ffuf, masscan, nuclei, meg and many more! (github.com)
Cheatsheet
dnsrecon -d facebook.com -r 157.240.221.35/24 #Using facebooks dns
dnsrecon -r 157.240.221.35/24 -n 8.8.8.8 #Using google dns
# Follow the installation instructions in the reconftw wiki to build the image
# -p Passive - Perform only passive steps
# -n OSINT - Performs an OSINT scan (no subdomain enumeration and attacks)
# -s Subdomains - Perform only subdomain enumeration, web probing, subdomain takeovers
sudo docker run -it --rm -v "${PWD}/reconftw.cfg":'/reconftw/reconftw.cfg' -v "${PWD}/Recon/":'/reconftw/Recon/' <IMAGE_ID> -l /reconftw/Recon/domains.txt -spn -o /reconftw/Recon/output
python3 cloud_enum.py -k <key_word> -t 10
python3.11 theHarvester.py -d <DOMAIN> -b all