Passive Information Gathering
In cyber we are always hunting for information. There are two main types of information collection processes, active and passive. Let’s start with the passive collection, which just means that we’re going to use tools and methods that will (hopefully) not alert anyone to our presence.
We all know how powerful Google is, but we may not be totally sure of what Google can do. For example, you can use double quotes to be more specific in your searches. Offensive Security has an entire database called The Google Hacking Database or GHDB that can help you identify things like footholds, files containing usernames, sensitive directories, and vulnerable files and servers. The database, which is updated regularly, will provide you the exact syntax to use to identify these vulnerabilities.
Google also has a “Google Trends” site that allows you to see what the world has been searching for. Some additional references include:
- Google Hacking Database (GHDB)
- Google Trends
- SANS – Google Hacking and Defense Cheat Sheet
- DARKReading – Google Dorking: Exposing the Hidden Threat
The OSINT Framework
The Open Source Intelligence (OSINT) Framework is a collection of tools that help improve your intelligence-gathering process. The site will provide useful links to whatever you may be searching for.
Shodan is a search engine that can search for any device connected to the Internet. Basically everything connected to the internet can be detected by Shodan and categorized according to what kind of a device it is (computers, webcams, routers, etc.).
The Wayback Machine allows you to view previous versions of websites. This is a great resource for passive reconnaissance while giving you the option to see an earlier version of the site.
Robtex is the go-to for network infrastructure enumeration. You can use this tool to identify domains, subdomains, A records, AAAA records, MX records, IP addresses and more.
Have I been pwned? allows you to search across multiple data breaches to see if your email address (or someone else’s) has been compromised
Foller.me is a Twitter application that allows for statistical analysis on public twitter profiles. You can use it to find out detailed information about any public Twitter account. This includes topics, mentions, hashtags, followers, location, etc.
Hunter.io is a SaaS tool that scrapes websites for email addresses and contact information. While it is primarily used by marketers, the service can also be valuable for doing basic recon on a target and finding names and other information for key employees. In addition to finding email addresses, Hunter.io can also verify that addresses are valid. The basic service is free for up to 25 searches per month.
WiGLE (Wireless Geographic Logging Engine) is a website that collects information about WiFi hotspots. Users upload hotspot data which can include the SSID, GPS information, encryption, and organization data. The WiGLE database currently contains data on over 750 million WiFi networks (as of mid-2021). This can be a useful tool for security professionals who need to conduct site surveys, search for rogue access points, etc.
Censys is a powerful search engine that can return the visible ports and services of an organization’s public infrastructure. This is useful for pentesters as well as defensive analysts in that it can highlight configuration weaknesses and potential attack surfaces for a network. There is a free public search engine as well as paid subscriptions that include many more features.
Social Searcher is a free social media search engine that can search across all major social media platforms including Twitter, Facebook, YouTube, Instagram, etc. This is useful for anyone wanting to monitor customer feedback and social media mentions of people or topics; it can also be used by pentesters and other security personnel to search for disclosures of compromising information (accidental or otherwise). Social Searcher presents results in a dashboard format that provides real-time analytics and also includes reporting features.
SSL Checker is an easy-to-use tool that just checks to see if an organization’s TLS/SSL certificates are correctly installed, valid, trusted, and not generating errors for end users. You just enter a public hostname into the search field and SSL Checker will return information about that site’s certificates including IP address, server type, validity, expiration, and more. This is a simple way to look for misconfigurations and problems with a website’s certificates.
GreyNoise helps security analysts save time by revealing which events and alerts they can ignore. The service curates data on IP addresses that saturate security tools with noise. This helps reduce the time spent examining irrelevant or harmless activity in order to investigate actual threats. Although it is primarily a paid service, GreyNoise offers a free community service with some good basic features.
The whois command allows you to identify registration information for a domain or IP address.
# whois espn.com
# whois 18.104.22.168
Pre-installed on Kali, theHarvester allows you to collect emails, subdomains, hosts, employee names, open ports, and banners from a variety of public information sources. This is very useful in the early stages of information gathering to help you get a picture of the structure of a target organization.
# theharvester -d [targetdomain.com] -l 500 -b yahoo
# theharvester -d [targetdomain.com] -l 500 -b google
# theharvester -d [targetdomain.com] -l 500 -b linkedin
# theharvester -d [targetdomain.com] -l 1000 -b all
The Discover tool by Lee Baird comes highly recommended. It is great for passive or active reconnaissance on a domain or person.
# git clone https://github.com/leebaird/discover.git /opt/discover
# cd /opt/discover