Who’s the target:
Gathering solid information about your target is crucial for a successful mission. Starting with passive reconnaissance is best when building a profile about a target, this can later can be used in the aggressive reconnaissance phase to enumerate services/hosts. The mission of passive recon is to gain information about target without actively engaging with the systems.
Target : DOMAIN.com
Start by gathering all the social media presence; Any information collected can in the end become intelligence with context. You can find this by doing a simple Google Search - “DOMAIN AND twitter.com”. This can be used against other domains.
Social Media Platforms:
You can also gather this information in the aggressive recon phase by going to the site directly. These social media platforms are usually managed by marketing operators to show an “inside look” into the company which means we can find faces of employee when we get to the user/employee recon phase. Find the registration and delegation of a domain name, also known as whois lookup. Let’s get right down to what e-mail address was used to register this domain: http://whois.domaintools.com/DOMAIN.com Good information in this Registry Registrant ID. Search for the Registrant e-mail, so we can use it to do a reverse whois lookup. Registrant E-mail -> domain-management@DOMAIN.com The domain registrant name is the organization or individual registering the domain name and the e-mail is the e-mail used to register the domain. Keeping that in mind, we can use this e-mail to associate it with other domains that are owned by the registrant. Using Reverse WHOIS Lookup to gather what other domain name: Reverse Whois lookup to find domain names owned by an individual person or company by using e-mail address or name of the person or company. Let’s move towards getting all associated domains with this e-mail using viewdns.info. http://viewdns.info/reversewhois/?q=+domain-management%40domain.com Format:
- URL - http://viewdns.info/reversewhois/?q=
- e-mail address included in the URI - firstname.lastname@example.org, this was extracted from the whois in the Registrant E-mail.
Provided above we have identified multiple domains related to this e-mail address. That can be used to do further recon. Note: This data is not live because the service provided are selective about what top level domains are updated daily and which are quarterly updated. There’s at least enough information to go off of. You can also use https://dnsdumpster.com to gather DNS records related to the domain in question. This information can be downloaded at the bottom, click the [Download .xlsx of Hosts]. Let’s see if there’s any e-mail address or other information regarding the domain.com domain. Using TheHarvester to Search Public sources for gathering e-mail accounts, subdomain names, virtual hosts, open ports/banners, and employee names. https://github.com/laramies/theHarvester Command: theharvester -d DOMAIN.com -l 500 -b all This command will harvest e-mails, hosts, and virtual hosts. Based on the intelligence provided from theHarvester, we can see the format of internal e-mails and guess what people’s e-mail addresses are internally based on this format.
Enumerating hosts/subdomains :
Let’s run a Anubis which is a subdomain enumeration and information gathering tool to enumerate subdomains which collates data from a variety of sources, including HackerTarget, DNSDumpster, x509 certs, VirusTotal, Google, Pkey, and NetCraft. Command: anubis -t domain.com –additional-info –ip -o domain.com.txt Another nifty tool to use is Sublist3r was created to enumerate subdomains of websites using OSINT. Sublist3r enumerates subdomains using many search engines such as Google, Yahoo, Bing, Baidu, and Ask. Sublist3r also enumerates subdomains using Netcraft, Virustotal, ThreatCrowd, DNSdumpster, and ReverseDNS. Command: sublist3r -d domain.com -b
Google Dork for identifying cloud content:
Searching Buckets for goods Amazon S3 buckets - Google, site:”.s3.amazonaws.com” AND “domain” Searching Buckets for goods Digital Ocean S3 Similar buckets - Google, site:”digitaloceanspaces.com” AND domain Searching buckets for goods - Google, site:”.appspot.com” AND domain Find more interesting google dork examples here: https://www.exploit-db.com/google-hacking-database/ You can use to hunt for publicly accessible DigitalOcean Spaces : https://github.com/appsecco/spaces-finder You can use to hunt for public accessible Amazon Buckets : https://github.com/jordanpotti/AWSBucketDump Notes - The e-mail addresses gathered can now be considered a vector of attack via phishing if enough information on the target is gathered. The hostnames identified using DNSDumpster and TheHarvester can be gathered to get create another set of targets to enumerate more deeply into. Manually checking each domain one by one can probably lead to a gold mine that was known of. Learn your assets and attack vectors in your environment.