OSINT
Asset Discovery & Reconnaissance
Manual Techniques
- Scrap Stackoverflow posts for secrets: Stack Exchange Data Dump Baking Flask cookies with your secrets
- Search the internet: Google, Shodan, GitHub, APIs.Guru and ProgrammableWeb
- Google Dorking Google Hacking Database (GHDB) - Google Dorks, OSINT, Recon (exploit-db.com)
- Search GitHub:
- API Keys
- Pull Requests
- Issues
- Fingerprint TLS using JARM
- Identify Domains registered by a person
- Reverse Whois Lookups with Google
- Perform Reverse IP Lookups
- Reverse Google AdSense Lookups
- Reverse Google Analytics Lookups
- Reverse Google tag lookup
Tools
Recon Domains
- OSINT.SH - All in one Information Gathering Tools
- Search for a list of websites by content inside their HTML such as: google tag ID, ad sense ID, etc. - NerdyData
- DNSdumpster.com - dns recon and research, find and lookup dns records
- GitHub - edoardottt/csprecon: Discover new target domains using Content Security Policy
- GitHub - g0ldencybersec/gungnir: A Golang CLI tool for continuously monitoring certificate transparency (CT) logs for newly issued SSL/TLS certificates. Supports filtering down to monitor specific root domains.
- GitHub - yousseflahouifi/moniorg: moniorg is a tool that leverages crt.sh website to monitor domains of a target
Recon URLS
- GitHub - lc/gau: Fetch known URLs from AlienVault's Open Threat Exchange, the Wayback Machine, and Common Crawl.
- GitHub - projectdiscovery/katana: A next-generation crawling and spidering framework.
Multi purpose Recon Tools
- six2dez/reconftw: reconFTW is a tool designed to perform automated recon on a target domain
- yogeshojha/rengine: reNgine is an automated reconnaissance framework for web applications
- OWASP/Amass: In-depth Attack Surface Mapping and Asset Discovery (github.com)
- darkoperator/dnsrecon: DNS Enumeration Script (github.com)
- pry0cc/axiom:Distribute the workload of many different scanning tools with ease, including nmap, ffuf, masscan, nuclei, meg and many more! (github.com)
Cheatsheet
dnsrecon -d facebook.com -r 157.240.221.35/24 #Using facebooks dns
dnsrecon -r 157.240.221.35/24 -n 8.8.8.8 #Using google dns
# Follow the installation instructions in the reconftw wiki to build the image
# -p Passive - Perform only passive steps
# -n OSINT - Performs an OSINT scan (no subdomain enumeration and attacks)
# -s Subdomains - Perform only subdomain enumeration, web probing, subdomain takeovers
sudo docker run -it --rm -v "${PWD}/reconftw.cfg":'/reconftw/reconftw.cfg' -v "${PWD}/Recon/":'/reconftw/Recon/' <IMAGE_ID> -l /reconftw/Recon/domains.txt -spn -o /reconftw/Recon/output
python3 cloud_enum.py -k <key_word> -t 10
python3.11 theHarvester.py -d <DOMAIN> -b all