Skip to content

Passive reconnaissance

Passive Information Gathering, also known as Open-source Intelligence (OSINT), is the process of collecting openly-available information about a target, generally without any direct interaction with that target.

Whois Enumeration

WHOIS (pronounced as the phrase "who is") is a query and response protocol that is widely used for querying databases that store the registered users or assignees of an Internet resource, such as a domain name, an IP address block or an autonomous system, but is also used for a wider range of other information.

Default port: 43

PORT   STATE  SERVICE
43/tcp open   whois

Enumerate all the information that a whois service has about a domain:

whois -h <HOST> -p <PORT> "domain.tld"
echo "domain.ltd" | nc -vn <HOST> <PORT>

Google Hacking

Google Hacking CheatSheet

  • ext:
  • intitle:
  • site:
  • -filetype:
  • intitle:"index of" "parent directory"
  • site:http://target.com ext:txt | ext:doc | ext:docx | ext:odt | ext:pdf | ext:rtf | ext:sxw | ext:psw | ext:ppt | ext:pptx | ext:pps | ext:csv
  • site:http://target.com inurl:admin | administrator | adm | login | l0gin | wp-login

Netcraft

Netcraft is an internet service company, based in England, offering a free web portal that performs various information gathering functions such as discovering which technologies are running on a given website and finding which other hosts share the same IP netblock.

Using services such as Netcraft is considered a passive technique, since we never directly interact with our target.

Shodan

Shodan is a search engine that crawls devices connected to the internet, including the servers that run websites, but also devices like routers and IoT devices. - https://thor-sec.com/cheatsheet/shodan/shodan_cheat_sheet/ - https://cheatography.com/sir-slammington/cheat-sheets/shodan/

Security Headers and SSL/TLS

Security Headers will analyze HTTP response headers and provide basic analysis of the target site's security posture. We can use this to get an idea of an organization's coding and security practices based on the results.

Another scanning tool we can use is the SSL Server Test from Qualys, SSL Labs. This tool analyzes a server's SSL/TLS configuration and compares it against current best practices. It will also identify some SSL/TLS related vulnerabilities, such as Poodle or Heartbleed.