www.OffSecNewbie.com
Search…
Intro
Pre-engagement
General methodology
OSCP Templates
Recon
Active
Passive OSINT
Attack Types
Network
Shells
Port Forwarding / SSH Tunneling
Transferring files
Web
SQL
Password cracking
Useful Linux Commands
Android
Buffer Overflow
TCP Dump and Wireshark Commands
Cloud Pentesting
Privilege Escalation
Linux
Windows
Kali Configuration
My bash Profile Files
Terminator Configuration
Tmux Configuration
Fish Config
Useful things to Install
VSCode Configuration
Automated
Tools
Videos
My Youtube Channel
IppSec Videos
The Cyber Mentor
VMs Similar to OSCP
Machines Similar to OSCP
Search Ippsec's Videos
Search Ippsec's Videos
Pcap Analysis
Pcap analysis
RegEx
MSFvenom Cheetsheet
Support me
Donate
Powered By GitBook
Recon
https://twitter.com/dc9221/status/1233349429828243456/photo/1

A Web App Tool to Run and Keep all your recon in the same place.

1
https://docs.reconness.com/
Copied!
bugcrowd
Ways to find Brand / TLD Discovery

Discover IP Space

1
look for different asns
2
http://bgp.he.net
3
prefixes v4
4
presents different IP ranges inside the CIDR notation
5
whois -h whois.cymru.com $(dig +short tesla.com) #finds CIDR notation for tesla.com - finds ip address for website
6
careful not to pick up shared hosting
7
amass
8
find subdomains for each of of these ASNs
9
amass intel -asn 123456
10
#find more details about ip ranges/countries etc
11
whois.arin.net
12
ripe.net
13
shodan.io
14
https://beta.shodan.io/search/filters #useful filters
15
org:"Tesla"
16
#maybe some false positives
Copied!

Discovering New Targets and TLDs

1
Find different attack surfaces which other people might not have discovered, ie from acquisitions
2
Wikipedia
3
search for subsiduries
4
Crunchbase.com
5
search for org
6
look for acquisitions
7
Owler.com
8
search for org
9
look for acquisitions
10
Acquiredby.co
11
search for org
12
acquisitions
13
LinkedIn
14
affiliated pages or similiar pages
15
Reversewhois
16
amass intel -d tesla.com -whois
17
Builtwith
18
Relationship Profile
19
look for anaylitical codes under ID # google tracking codes that are linked to different sites
20
GoogleDorks
21
intext:"copyright tesla motors"
22
ShodanDorks
23
http.favicon.hash:81586312 # Jenkins favicon hash
24
can narrow it down after that
25
Copied!

Subdomain Enumeration

1
https://github.com/tomnomnom/assetfinder/
2
assetfinder -subs-only offsecnewbie.com
3
amass enum -d tesla.com -ip
4
setup config.ini file get access to a lot more data than baseline tool
5
subfinder # not used much but has a few extra sources
6
subfinder -d tesla.com -t 25 -timeout 5 -silent
7
DNS bruteforcing https://youtu.be/La3iWKRX-tE?t=802
8
all.txt + goaltdns + commonspeak --> massdns / gobuster3
9
https://github.com/subfinder/goaltdns
10
massdns
11
#download all.txt
12
sed -e 's/$/.tesla.com/' -i all.txt #adds tesla.com to start of each line - overrides file
13
massdns -r lists/resolvers.txt -t CNAME all.txt -o S > results
14
#massdns much faster than gobuster but can get you blacklisted from dns resolovers - a lot of false positives and negatives
15
rapid 7 fdns
16
#download latest file here: https://opendata.rapid7.com/sonar.fdns_v2/
17
pv 2019-10-27-1572199582-fdns_cname.json.gz | pigz -dc | grep -E "\.tesla\.org\"," | jq -r '.name'
18
certstream
19
certstream | grep -E "\.tesla\.comquot;
20
#Real-time certificate transparency log update stream
Copied!

Fingerprinting

what is running, narrow down attack surface
1
builtwith.com
2
whatweb #follows redirection http-->https
3
massscan & nmap
4
masscan -p1-65535 $(dig +short tesla.com) --rate 1000
Copied!

Dorking

1
shodan dork
2
org:"Tesla"
3
ssl:"Tesla" #accurate and can prove ownership to organisation
4
ssl:"Tesla" http.component:"Drupal"
5
ssl:"Tesla" http.title:"Login"
6
censys.io
7
443.https.tls.certificate.parsed.subject.organizational_unit: Tesla Motors
8
github dork
9
"tesla.com" password
10
"tesla.com" key
11
"tesla.com" api
12
https://github.com/condingo/dorky #automate the dorking process - tool to be released
13
​
Copied!

Content Discovery

1
Burpcrawler
2
crawl site
3
Linkfinder https://github.com/GerbenJavado/LinkFinder
4
jsparser - similar to above
5
gobuster & recursebuster # recurse only does directory
6
otxurls
7
echo "www.tesla.com" | otxurls | head -n 300 #attempts to find urls within alienvault
8
waybackurls
9
echo "www.tesla.com" | waybackurls | head -n 300 #similar to above, you can get parameters back which can be useful when fuzzing
10
​
Copied!

Parameter Discovery

1
https://github.com/maK-/parameth
Copied!

Automation

1
https://github.com/codingo/Interlace
2
Interlace #multithreads other tools
3
interlace -tL domains.txt -c "amass enum-d _target_" -o siubdomains.txt -threads 20
4
LazyRecon #outofdate but still good baseline
Copied!
GHDB + others GUI tool
1
https://www.bishopfox.com/resources/tools/google-hacking-diggity/attack-tools/
Copied!

Username discovery

To find out what sites a user is registered:
1
https://namechk.com/
2
https://whatsmyname.app/
Copied!

Other

Collections of Tools, Bookmarks, and other guides created to aid in OSINT collection
1
https://github.com/sinwindie/OSINT/
Copied!
​
Previous
OSCP Templates
Next
Active
Last modified 10mo ago
Copy link
Contents
A Web App Tool to Run and Keep all your recon in the same place.
Discover IP Space
Discovering New Targets and TLDs
Subdomain Enumeration
Fingerprinting
Dorking
Content Discovery
Parameter Discovery
Automation
Username discovery
Other