Recon
https://twitter.com/dc9221/status/1233349429828243456/photo/1
https://docs.reconness.com/
bugcrowd
Ways to find Brand / TLD Discovery
look for different asns
http://bgp.he.net
prefixes v4
presents different IP ranges inside the CIDR notation
whois -h whois.cymru.com $(dig +short tesla.com) #finds CIDR notation for tesla.com - finds ip address for website
careful not to pick up shared hosting
amass
find subdomains for each of of these ASNs
amass intel -asn 123456
#find more details about ip ranges/countries etc
whois.arin.net
ripe.net
shodan.io
https://beta.shodan.io/search/filters #useful filters
org:"Tesla"
#maybe some false positives
Find different attack surfaces which other people might not have discovered, ie from acquisitions
Wikipedia
search for subsiduries
Crunchbase.com
search for org
look for acquisitions
Owler.com
search for org
look for acquisitions
Acquiredby.co
search for org
acquisitions
LinkedIn
affiliated pages or similiar pages
Reversewhois
amass intel -d tesla.com -whois
Builtwith
Relationship Profile
look for anaylitical codes under ID # google tracking codes that are linked to different sites
GoogleDorks
intext:"copyright tesla motors"
ShodanDorks
http.favicon.hash:81586312 # Jenkins favicon hash
can narrow it down after that
https://github.com/tomnomnom/assetfinder/
assetfinder -subs-only offsecnewbie.com
amass enum -d tesla.com -ip
setup config.ini file get access to a lot more data than baseline tool
subfinder # not used much but has a few extra sources
subfinder -d tesla.com -t 25 -timeout 5 -silent
DNS bruteforcing https://youtu.be/La3iWKRX-tE?t=802
all.txt + goaltdns + commonspeak --> massdns / gobuster3
https://github.com/subfinder/goaltdns
massdns
#download all.txt
sed -e 's/$/.tesla.com/' -i all.txt #adds tesla.com to start of each line - overrides file
massdns -r lists/resolvers.txt -t CNAME all.txt -o S > results
#massdns much faster than gobuster but can get you blacklisted from dns resolovers - a lot of false positives and negatives
rapid 7 fdns
#download latest file here: https://opendata.rapid7.com/sonar.fdns_v2/
pv 2019-10-27-1572199582-fdns_cname.json.gz | pigz -dc | grep -E "\.tesla\.org\"," | jq -r '.name'
certstream
certstream | grep -E "\.tesla\.com$"
#Real-time certificate transparency log update stream
what is running, narrow down attack surface
builtwith.com
whatweb #follows redirection http-->https
massscan & nmap
masscan -p1-65535 $(dig +short tesla.com) --rate 1000
shodan dork
org:"Tesla"
ssl:"Tesla" #accurate and can prove ownership to organisation
ssl:"Tesla" http.component:"Drupal"
ssl:"Tesla" http.title:"Login"
censys.io
443.https.tls.certificate.parsed.subject.organizational_unit: Tesla Motors
github dork
"tesla.com" password
"tesla.com" key
"tesla.com" api
https://github.com/condingo/dorky #automate the dorking process - tool to be released
Burpcrawler
crawl site
Linkfinder https://github.com/GerbenJavado/LinkFinder
jsparser - similar to above
gobuster & recursebuster # recurse only does directory
otxurls
echo "www.tesla.com" | otxurls | head -n 300 #attempts to find urls within alienvault
waybackurls
echo "www.tesla.com" | waybackurls | head -n 300 #similar to above, you can get parameters back which can be useful when fuzzing
https://github.com/maK-/parameth
https://github.com/codingo/Interlace
Interlace #multithreads other tools
interlace -tL domains.txt -c "amass enum-d _target_" -o siubdomains.txt -threads 20
LazyRecon #outofdate but still good baseline
GHDB + others GUI tool
https://www.bishopfox.com/resources/tools/google-hacking-diggity/attack-tools/
To find out what sites a user is registered:
https://namechk.com/
https://whatsmyname.app/
Collections of Tools, Bookmarks, and other guides created to aid in OSINT collection
https://github.com/sinwindie/OSINT/
Last modified 1yr ago