Passive OSINT
Discover as much about the target without revealing your IP address
Finds underlying OS, web server version uptime
Sometimes SSL is a goldmine of information
crt.sh
#!/bin/bash
# a basic script to pull information from crt and present it
# example ./crt.sh offsecnewbie.com
# author rowbot
if [[ $# -eq 0 ]] ;
then
echo "Usage: ./crt.sh domain. Also you might have to install jq - 'apt get install jq'"
exit 1
else
curl -s https://crt.sh/\?q\=\%.$1\&output\=json | jq -r '.[].name_value' | sed 's/\*\.//g' | sort -u > $1
fi
If you can't get jq installed - try this script
#!/bin/bash
# a basic script to pull information from crt and present it
# example ./crt.sh offsecnewbie.com
# author rowbot
if [[ $# -eq 0 ]] ;
then
echo "Usage: ./crt.sh domain"
exit 1
else
curl -s "https://crt.sh/?q=%.$1" -o rawdata; cat rawdata | grep "<TD>" | grep -vE "style" | cut -d ">" -f 2 | grep -Po '.*(?=....$)' | sort -u | grep -v "*" > $1
fi
Compare subdomains found using theHavester with crt.sh script as some will be missing - not all domains have ssl.
theHarvester -d offsecnewbie.com -l 500 -b google
IP addresses from subdomains
for i in $(cat subdomains.txt); do dig $i | grep -o '[0-9]\{1,3\}\.[0-9]\{1,3\}\.[0-9]\{1,3\}\.[0-9]\{1,3\}' | grep -vE "10.*"; done
Use Virustotal to find subdomains
https://www.virustotal.com

Also you can play about with a nice entity diagram

https://www.bugcrowd.com/blog/discovering-subdomains/
FireFox addon - passive recon
examples here
site:offsecnewbie.com doctype:docx
inurl:/etc/passwd%00 intext:root
also check out doc meta info, ie doc creator, where doc was stored, created with Office 2010, saved on this network share eg its IP address
also heck out doc meta info, gives info such as where doc was stored - network share ip address, who created it, what was it created with etc
https://github.com/ElevenPaths/FOCA
Search for people on social media
/opt/sherlock/sherlock.py
A giant inventory of recon tools is available via the Skip Tracing Framework
https://makensi.es/stf/
- 1.
- 2.webcam has_screenshot:true – a general search for any IoT device identified as a webcam that has screenshots available.
- 3.has_screenshot:true IP Webcam – another version of the above search, see how the results might differ?
- 4.server: webcampxp – webcamXP is one of the most popular and commonly encountered network camera software for Windows OS.
- 5.server: “webcam 7” – webcam 7 cameras; not as popular as the above type, but still they are still popular and encountered out there.
- 6.title:”blue iris remote view” – webcams identified as belonging to the Blue Iris webcam remote management and monitoring service.
- 7.
- 8.
- 9.product:”Yawcam webcam viewer httpd” – Yawcam stands for Yet Another WebCAM, free live streaming and webcam software.
- 10.
- 11.server: GeoHttpServer – GeoVision (GeoHttpServer) Webcams, older webcam software with some had well documented vulnerabilities.
- 12.
- 13.
- 14.
- 15.
- 16.
- 17.
- 18.
- 19.
- 20.
Explore further by these tags:
- 1.
- 2.
- 3.
- 4.
- 5.
- 6.mcu: tandberg – Tandberg is a hardware manufacturer of multi-point control units for video conferencing.
- 7.
- 8.
- 9.
- 10.Server: MSOS/2.0 mawebserver/1.1 – VoIP media gateway, commonly used by services such as Patton SN4112 FXO.
- 1.
- 2.
- 3.
- 4.
- 5.
- 6.
- 7.
- 8.
- 9.
- 10.port:”5984″+Server: “CouchDB/2.1.0” – vulnerable CouchDB where remote code execution may be possible.
- 1.
- 2.
- 3.
- 4.
- 5.
- 6.
- 7.
- 8.
- 9.
- 10.port:”5984″+Server: “CouchDB/2.1.0” – vulnerable CouchDB where remote code execution may be possible.
- 1.
- 2.
- 3.org:marlink – general search; Marlink is the world’s largest maritime satellite communications provider.
- 4.
- 5.
- 6.vsat – abbreviation for “very-small-aperture terminal”, a data transmitter / receiver commonly used by maritime vessels.
- 7.ECDIS – abbreviation for Electronic Chart Display and Information Systems, used in navigation and autopilot systems.
- 8.
- 9.
- 10.
- 1.
- 2.
- 3.“220” “230 Login successful.” port:21 – FTP resources potentially accessible without login credentials.
- 4.
- 5.
- 6.
- 7.ftp port:”10000″ – Network Data Management Protocol (NDMP), used for backup of network-attached storage (NAS) devices.
- 8.
- 9.
- 10.
Explore further by these tags:
- 1.
- 2.
- 3.
- 4.
- 5.
- 6.
- 7.
- 8.
- 9.
- 10.
- 1.
- 2.
- 3.
- 4.
- 5.“[email protected]” port:23 -login -password -name -Session – accounts already logged in with root privilege over Telnet, port 23.
- 6.
- 7.
- 8.
- 9.
- 10.
- 1.
- 2.
- 3.
- 4.
- 5.
- 6.
- 7.
- 8.
- 9.
- 10.
- 11.
- 12.
Explore further by these tags:
- 1.
- 2.
- 3.
- 4.
- 5.
- 6.port:”27017″ “send_bitcoin_to_retrieve_the_data” – databases affected by ransomware, with the ransom demand still associated with them.
- 7.bitcoin has_screenshot:true – searches for the ‘bitcoin’ keyword, where a screenshot is present (useful for RDP screens of endpoints infected with ransomware).
- 8.port:4444 system32 – compromised legacy operating systems. Port 4444 is the default port for Meterpreter – a Metasploit attack payload with an interactive shell for remote code execution.
- 9.
- 10.“HACKED-ROUTER-HELP-SOS-HAD-DEFAULT-PASSWORD” – compromised hosts with the name changed to that phrase.
- 11.
- 1.
- 2.
- 3.
- 4.
- 5.
- 6.
- 7.
- 8.
- 9.http.title:”dashboard” – literally anything labelled ‘dashboard’, with many not accessible due to security by default.
- 10.
Last modified 1yr ago