Passive information gathering

The 1st step of any penetration test is gathering information about the target company. In this tutorial we will go through all the steps required for passive information gathering.

Public company information

Try to get the following data:

  1. 1. Company location and addresses.
  2. 2. All company email addresses (https://hunter.io/).
  3. 3. Company structure. There could be some companies acquired by the target company.
  4. 4. Legal info like company tax number.
  5. 5. Founders info.
  6. 6. Company blog articles can reveal information about the tech stack.
  7. 7. Company social media data in most popular social media platforms like instagram, facebook, etc.
  8. 8. Company vacancies to get more info about the tech stack

Company employee information

Try to get the following data:

  1. 1. Names
  2. 2. Emails
  3. 3. Phones
  4. 4. Job positions
  5. 5. Social media data

Website tech stack

Get tech stack info from the following services:

  1. 1. https://builtwith.com/
  2. 2. https://www.wappalyzer.com/
  3. 3. https://w3techs.com/sites
  4. 4. https://whatcms.org/

Google dorks

  1. 1. Try common google dorks from https://pentest-tools.com/information-gathering/google-hacking
  2. 2. Based on previously collected data (server version, CMS, etc.) try google dorks from https://www.exploit-db.com/google-hacking-database
  3. 3. Check the target website and try to find what files are stored and could be leaked. Try google dorks based on common sense. For example, if a website is a social media platform then some images can be indexed. Or, for example, tourism websites can leak users’ IDs.

Other tools

  1. 1. https://www.shodan.io
  2. 2. Try to find source code at https://github.com
  3. 3. Get whois info and all domains at the target ip from https://whois.domaintools.com/

DNS enumeration

  1. 1. fierce --domain onrealt.ru
  2. 2. anubis -t onrealt.ru
  3. 3. https://site-analyzer.pro/services-seo/site-all-subdomains/
  4. 4. https://search.censys.io/
  5. 5. https://rapiddns.io/

Leave a Reply

Your email address will not be published. Required fields are marked *