Owlglass

Pentest - Passive Information Gathering

Passive Information Gathering

Also known as open-source intelligence OSINT – the process of collecting freely-available information about a target, often with no direct interaction/contact with target assets. In a strict interpretation, there’s zero interaction with the target, eg all information is obtained through a third party. More loosely, passive information gathering allows for interaction with the target, but only as a normal user, eg registering for an account on the corporate website. The goal here is to clarify or expand the attack surface and to supplement other penetration testing steps.

Whois

The name server and registrar of a domain can be determined by the whois utility. Registrar’s typically charge a fee for private registration, so the information is typically public. The Internet Corporation for Assigned Names and Numbers (ICANN) regulates domain name registration and ownership, but the records are held by different companies known as registries.

1

whois cnn.com

Google Hacking

Popularized by Johnny Long in 2001. Google can be a hacker’s tool to uncover information and discover vulnerabilities, especially when used in conjunction with clever search strings and operators.

  • site : limit results to a single domain
  • filetype : limit results to a particular filetype, eg filetype:txt. Same as ext. Another example: we can try to determine programming languages used with, eg, ext:py
  • - : subtraction operator to filter results from the search, eg, to look for non-html pages: -filetype:html
  • intitle

Google Hacking Database DorkSearch

Netcraft

An internet service that can provide information about which technologies are running on a given website and finding which other hosts share the same IP netblock. https://searchdns.netcraft.com

Open-Source Code

Shodan

  • search for internet-connected devices

Security Headers