Recon
https://twitter.com/dc9221/status/1233349429828243456/photo/1

A Web App Tool to Run and Keep all your recon in the same place.

1
https://docs.reconness.com/
Copied!
bugcrowd
Ways to find Brand / TLD Discovery

Discover IP Space

1
look for different asns
2
http://bgp.he.net
3
prefixes v4
4
presents different IP ranges inside the CIDR notation
5
whois -h whois.cymru.com $(dig +short tesla.com) #finds CIDR notation for tesla.com - finds ip address for website
6
careful not to pick up shared hosting
7
amass
8
find subdomains for each of of these ASNs
9
amass intel -asn 123456
10
#find more details about ip ranges/countries etc
11
whois.arin.net
12
ripe.net
13
shodan.io
14
https://beta.shodan.io/search/filters #useful filters
15
org:"Tesla"
16
#maybe some false positives
Copied!

Discovering New Targets and TLDs

1
Find different attack surfaces which other people might not have discovered, ie from acquisitions
2
Wikipedia
3
search for subsiduries
4
Crunchbase.com
5
search for org
6
look for acquisitions
7
Owler.com
8
search for org
9
look for acquisitions
10
Acquiredby.co
11
search for org
12
acquisitions
13
LinkedIn
14
affiliated pages or similiar pages
15
Reversewhois
16
amass intel -d tesla.com -whois
17
Builtwith
18
Relationship Profile
19
look for anaylitical codes under ID # google tracking codes that are linked to different sites
20
GoogleDorks
21
intext:"copyright tesla motors"
22
ShodanDorks
23
http.favicon.hash:81586312 # Jenkins favicon hash
24
can narrow it down after that
25
Copied!

Subdomain Enumeration

1
https://github.com/tomnomnom/assetfinder/
2
assetfinder -subs-only offsecnewbie.com
3
amass enum -d tesla.com -ip
4
setup config.ini file get access to a lot more data than baseline tool
5
subfinder # not used much but has a few extra sources
6
subfinder -d tesla.com -t 25 -timeout 5 -silent
7
DNS bruteforcing https://youtu.be/La3iWKRX-tE?t=802
8
all.txt + goaltdns + commonspeak --> massdns / gobuster3
9
https://github.com/subfinder/goaltdns
10
massdns
11
#download all.txt
12
sed -e 's/$/.tesla.com/' -i all.txt #adds tesla.com to start of each line - overrides file
13
massdns -r lists/resolvers.txt -t CNAME all.txt -o S > results
14
#massdns much faster than gobuster but can get you blacklisted from dns resolovers - a lot of false positives and negatives
15
rapid 7 fdns
16
#download latest file here: https://opendata.rapid7.com/sonar.fdns_v2/
17
pv 2019-10-27-1572199582-fdns_cname.json.gz | pigz -dc | grep -E "\.tesla\.org\"," | jq -r '.name'
18
certstream
19
certstream | grep -E "\.tesla\.comquot;
20
#Real-time certificate transparency log update stream
Copied!

Fingerprinting

what is running, narrow down attack surface
1
builtwith.com
2
whatweb #follows redirection http-->https
3
massscan & nmap
4
masscan -p1-65535 $(dig +short tesla.com) --rate 1000
Copied!

Dorking

1
shodan dork
2
org:"Tesla"
3
ssl:"Tesla" #accurate and can prove ownership to organisation
4
ssl:"Tesla" http.component:"Drupal"
5
ssl:"Tesla" http.title:"Login"
6
censys.io
7
443.https.tls.certificate.parsed.subject.organizational_unit: Tesla Motors
8
github dork
9
"tesla.com" password
10
"tesla.com" key
11
"tesla.com" api
12
https://github.com/condingo/dorky #automate the dorking process - tool to be released
13
Copied!

Content Discovery

1
Burpcrawler
2
crawl site
3
Linkfinder https://github.com/GerbenJavado/LinkFinder
4
jsparser - similar to above
5
gobuster & recursebuster # recurse only does directory
6
otxurls
7
echo "www.tesla.com" | otxurls | head -n 300 #attempts to find urls within alienvault
8
waybackurls
9
echo "www.tesla.com" | waybackurls | head -n 300 #similar to above, you can get parameters back which can be useful when fuzzing
10
Copied!

Parameter Discovery

1
https://github.com/maK-/parameth
Copied!

Automation

1
https://github.com/codingo/Interlace
2
Interlace #multithreads other tools
3
interlace -tL domains.txt -c "amass enum-d _target_" -o siubdomains.txt -threads 20
4
LazyRecon #outofdate but still good baseline
Copied!
GHDB + others GUI tool
1
https://www.bishopfox.com/resources/tools/google-hacking-diggity/attack-tools/
Copied!

Username discovery

To find out what sites a user is registered:
1
https://namechk.com/
2
https://whatsmyname.app/
Copied!

Other

Collections of Tools, Bookmarks, and other guides created to aid in OSINT collection
1
https://github.com/sinwindie/OSINT/
Copied!
Last modified 10mo ago