>> Practical Security Assessment (Penetration Testing) - Passive Intelligence Gathering

    • OSINT resources 2019
    • Awesome OSINT
    • Public data from courthouses, tax forms, and so on
    • Search engines
    • Conferences
    • Academic sources
    • Blogs
    • Research reports
    • Metadata from pictures, executables, documents, and so on
  • Footprinting
    • Name servers
    • IP ranges
    • Banners
    • Operating Systems
    • Determining if IDS/IPS is used

Some of the how-to on recon by Null-Byte


Recong-ng gives information about IP space, locations, users, emails, and more. You can connect different API keys with recon-ng (such as IP info DB). It will also search information about the company in google, bing, and baidu. It can brute-force subdomains, resolve domain names to IP (and vice versa), and even make a nice looking HTML report of all gathered data.

Example (by default, no modulees are installed, so we gotta install them first):

marketplace install hackertarget
modules load hackertarget
show options
options set SOURCE domain.com

To see all modules:

show modules

To get the info (e.g., hosts) after you ran the modules:

show hosts

Discover Scripts

Discover Scripts is a set of tools for passive OSINT. The tools include dnsrecon, goofile, goog-mail, goohost, theharvester, metasploit, urlcrazy, whois, dnssy, ewhois, myipneighbor, and urlvoid.

Subdomain Enumeration

  • Anubis subdomain enumeration and information gathering tool
  • KNOCK can enumerate subdomains based on a wordlist like this one.
  • Sublist3r uses google-dorking to find subdomains.
  • SubBrute enumerates subdomains based on DNS metadata.

Searching GitHub history

  • Truffle Hog is an excellent tool to search through commit history and idetify some juicy info for read teamers.
  • Gitrob searches for the juicy stuff on scale for a particular organization, it will try to find all developers who are somehow connected with the company and search for APIs, passwords, SSH keys, etc.

DNS Recon

CNAME - alias, used to tie many names to a single IP. An IP address can have multiple CNAME records associated with it. A - used to translate a domain or subdomain name to a 32-bit IP address. It can also store additional useful information. MX - ties a domain name to associated mail servers.

A website to perform all kinds of lookups online: ViewDNS


$ nslookup domain.com
$ nslookup domain.com
$ nslookup -type=ns domain.com

Save the output to the file:

$ nslookup -type=ns domain.com > nslookup.txt
$ nslookup domain.com >> nslookup.txt

Domain Information Groper (DIG)

Online public version of DIG

$ dig domain.com
$ dig domain.com any

The fun part: zone transfers and Bind version

$ dig axfr @ns1.domain.com domain.com
$ dig +nocmd +noall +answer VERSION.BIND @ns1.domain.com domain.com

Reverse DNS lookup

$ dig +nocmd +noall +answer -x

DNS Brute-Forcing

$ fierce --domain example.com
$ fierce --domain example.com --subdomain-file ourOwnWordList.txt
$ fierce --domain example.com --wide
$ perl blindcrawl.pl -d domain.com
$ python gxfr.py --bxfr --dns-lookup -o domain.com

Crawling through IP space to get DNS names:

$ ipcrawl #oracle


Top registrars

$ whois domain.com
Using a specific registrar
$ whois -h whois.apnic.net domain.com


Shodan Filters:

  • has_screenshot:true Look for servers that allow to screenshot whatever they are serving.
  • net: Possibly one of the most useful filters for a penetration tester. You can search your IP ranges using IP/CIDR notation (for example, to see if all of your devices are configured as expected or if there are indicators that a vulnerable server or network device configuration is externally facing and ready to be compromised during testing.
  • city: This will limit the search to the city listed.
  • country: Restricts the search to devices in the country of choice. This is also very important for pentesting, as there may be times when a client provides you with IP ranges (which you validated, right?), and then places certain assets out of scope due to location. A client may choose to not test against systems located in Singapore for instance.
  • port: Will restrict the search to the port indicated. Remember that Shodan does not scan index banners for all ports, only for 80, 21, 22, and 23.
  • before: Search for systems scanned before a specified date.
  • after: Search for systems scanned after this date.
  • os: Specify operating systems you want to include or exclude in your search.


Census, ARIN, and pastebin dumps

  • Census is a web service to identify reachable servers and devices given IP ranges. It is quite useful to check out what is visible from the outside of the organization.
  • ARIN allows you to lookup IP ranges for a particular organization in the US.
  • Pastebin Dumps allows you to find out if any of the users' data have been previously dumped on the pastebin websites.

HTTP banner

$ nc domain.com 80

Google Hacking

Load-Balancing and IPS Detection

Try to do DIG on google.com and notice how many IP addresses are returned. More than one, right? This is because there is a load balancer that balances input traffic.


As an example, a tool that helps find free proxies : https://github.com/constverum/ProxyBroker

Email/Subdomain/Names/Banners Harvesting

TheHarvester: $ theharvester -d domain.com -l 50 -b google {linkedin | pgp | all}

Tor and Privacy

Running Tor browser on Kali the proper way

How to find active onion sites to access using Tor

To use Kali commands through Tor, you have to run them through proxychains tool: $ proxychains nmap -sT -p80 IP_ADDR

Privacy Tools

Licensed under GNU General Public License v3.0 © Vitaly Ford