www.OffSecNewbie.com
Search…
Intro
Pre-engagement
General methodology
OSCP Templates
Recon
Active
Passive OSINT
Attack Types
Network
Shells
Port Forwarding / SSH Tunneling
Transferring files
Web
SQL
Password cracking
Useful Linux Commands
Android
Buffer Overflow
TCP Dump and Wireshark Commands
Cloud Pentesting
Privilege Escalation
Linux
Windows
Kali Configuration
My bash Profile Files
Terminator Configuration
Tmux Configuration
Fish Config
Useful things to Install
VSCode Configuration
Automated
Tools
Videos
My Youtube Channel
IppSec Videos
The Cyber Mentor
VMs Similar to OSCP
Machines Similar to OSCP
Search Ippsec's Videos
Search Ippsec's Videos
Pcap Analysis
Pcap analysis
RegEx
MSFvenom Cheetsheet
Support me
Donate
Powered By GitBook
Recon
https://twitter.com/dc9221/status/1233349429828243456/photo/1

A Web App Tool to Run and Keep all your recon in the same place.

https://docs.reconness.com/
bugcrowd
Ways to find Brand / TLD Discovery

Discover IP Space

look for different asns
http://bgp.he.net
prefixes v4
presents different IP ranges inside the CIDR notation
whois -h whois.cymru.com $(dig +short tesla.com) #finds CIDR notation for tesla.com - finds ip address for website
careful not to pick up shared hosting
amass
find subdomains for each of of these ASNs
amass intel -asn 123456
#find more details about ip ranges/countries etc
whois.arin.net
ripe.net
shodan.io
https://beta.shodan.io/search/filters #useful filters
org:"Tesla"
#maybe some false positives

Discovering New Targets and TLDs

Find different attack surfaces which other people might not have discovered, ie from acquisitions
Wikipedia
search for subsiduries
Crunchbase.com
search for org
look for acquisitions
Owler.com
search for org
look for acquisitions
Acquiredby.co
search for org
acquisitions
LinkedIn
affiliated pages or similiar pages
Reversewhois
amass intel -d tesla.com -whois
Builtwith
Relationship Profile
look for anaylitical codes under ID # google tracking codes that are linked to different sites
GoogleDorks
intext:"copyright tesla motors"
ShodanDorks
http.favicon.hash:81586312 # Jenkins favicon hash
can narrow it down after that

Subdomain Enumeration

https://github.com/tomnomnom/assetfinder/
assetfinder -subs-only offsecnewbie.com
amass enum -d tesla.com -ip
setup config.ini file get access to a lot more data than baseline tool
subfinder # not used much but has a few extra sources
subfinder -d tesla.com -t 25 -timeout 5 -silent
DNS bruteforcing https://youtu.be/La3iWKRX-tE?t=802
all.txt + goaltdns + commonspeak --> massdns / gobuster3
https://github.com/subfinder/goaltdns
massdns
#download all.txt
sed -e 's/$/.tesla.com/' -i all.txt #adds tesla.com to start of each line - overrides file
massdns -r lists/resolvers.txt -t CNAME all.txt -o S > results
#massdns much faster than gobuster but can get you blacklisted from dns resolovers - a lot of false positives and negatives
rapid 7 fdns
#download latest file here: https://opendata.rapid7.com/sonar.fdns_v2/
pv 2019-10-27-1572199582-fdns_cname.json.gz | pigz -dc | grep -E "\.tesla\.org\"," | jq -r '.name'
certstream
certstream | grep -E "\.tesla\.comquot;
#Real-time certificate transparency log update stream

Fingerprinting

what is running, narrow down attack surface
builtwith.com
whatweb #follows redirection http-->https
massscan & nmap
masscan -p1-65535 $(dig +short tesla.com) --rate 1000

Dorking

shodan dork
org:"Tesla"
ssl:"Tesla" #accurate and can prove ownership to organisation
ssl:"Tesla" http.component:"Drupal"
ssl:"Tesla" http.title:"Login"
censys.io
443.https.tls.certificate.parsed.subject.organizational_unit: Tesla Motors
github dork
"tesla.com" password
"tesla.com" key
"tesla.com" api
https://github.com/condingo/dorky #automate the dorking process - tool to be released
​

Content Discovery

Burpcrawler
crawl site
Linkfinder https://github.com/GerbenJavado/LinkFinder
jsparser - similar to above
gobuster & recursebuster # recurse only does directory
otxurls
echo "www.tesla.com" | otxurls | head -n 300 #attempts to find urls within alienvault
waybackurls
echo "www.tesla.com" | waybackurls | head -n 300 #similar to above, you can get parameters back which can be useful when fuzzing
​

Parameter Discovery

https://github.com/maK-/parameth

Automation

https://github.com/codingo/Interlace
Interlace #multithreads other tools
interlace -tL domains.txt -c "amass enum-d _target_" -o siubdomains.txt -threads 20
LazyRecon #outofdate but still good baseline
GHDB + others GUI tool
https://www.bishopfox.com/resources/tools/google-hacking-diggity/attack-tools/

Username discovery

To find out what sites a user is registered:
https://namechk.com/
https://whatsmyname.app/

Other

Collections of Tools, Bookmarks, and other guides created to aid in OSINT collection
https://github.com/sinwindie/OSINT/
​
Previous
OSCP Templates
Next
Active
Last modified 1yr ago
Copy link
Outline
A Web App Tool to Run and Keep all your recon in the same place.
Discover IP Space
Discovering New Targets and TLDs
Subdomain Enumeration
Fingerprinting
Dorking
Content Discovery
Parameter Discovery
Automation
Username discovery
Other