LogoLogo
  • Intro
  • Pre-engagement
  • General methodology
  • OSCP Templates
  • Recon
    • Active
    • Passive OSINT
  • Attack Types
  • Network
    • Linux
    • Windows
    • Active Directory Enumeration
  • Shells
  • Port Forwarding / SSH Tunneling
  • Transferring files
  • Web
  • SQL
  • Password cracking
    • Brute Force - CheatSheet
  • Useful Linux Commands
  • Android
  • Buffer Overflow
  • TCP Dump and Wireshark Commands
  • Cloud Pentesting
    • SQL vs NoSQL Cheetsheet Cloud
    • AWS cli cheatsheet
    • Tools to install
    • Enumeration
    • Cloudgoat
  • Privilege Escalation
    • Linux
      • Loot
    • Windows
      • Loot
  • Kali Configuration
    • My bash Profile Files
    • Terminator Configuration
    • Tmux Configuration
    • Fish Config
    • Useful things to Install
    • VSCode Configuration
  • Automated
    • Tools
  • Videos
    • My Youtube Channel
    • IppSec Videos
    • The Cyber Mentor
  • VMs Similar to OSCP
    • Machines Similar to OSCP
  • Search Ippsec's Videos
    • Search Ippsec's Videos
  • Pcap Analysis
    • Pcap analysis
    • RegEx
  • MSFvenom Cheetsheet
  • Support me
  • Donate
Powered by GitBook
On this page
  • Netcraft.com
  • Find subdomains
  • Read
  • Google hacking
  • Social Media Search
  • Recon
  • Find information about a device that is connected
  • List of OSINT Tools
  • Favicon - Search in Shodan

Was this helpful?

  1. Recon

Passive OSINT

Discover as much about the target without revealing your IP address

Netcraft.com

Finds underlying OS, web server version uptime

Find subdomains

Sometimes SSL is a goldmine of information

crt.sh
#!/bin/bash
# a basic script to pull information from crt and present it
# example ./crt.sh offsecnewbie.com
# author rowbot
if [[ $# -eq 0 ]] ;

then
	echo "Usage: ./crt.sh domain. Also you might have to install jq - 'apt get install jq'"
	exit 1

else

curl -s https://crt.sh/\?q\=\%.$1\&output\=json | jq -r '.[].name_value' | sed 's/\*\.//g' | sort -u > $1

fi

If you can't get jq installed - try this script

#!/bin/bash
# a basic script to pull information from crt and present it
# example ./crt.sh offsecnewbie.com
# author rowbot

if [[ $# -eq 0 ]] ;

then
	echo "Usage: ./crt.sh domain"
	exit 1

else

curl -s "https://crt.sh/?q=%.$1" -o rawdata; cat rawdata | grep "<TD>" | grep -vE "style" | cut -d ">" -f 2 | grep -Po '.*(?=....$)' | sort -u | grep -v "*" > $1

fi

Compare subdomains found using theHavester with crt.sh script as some will be missing - not all domains have ssl.

theHarvester -d offsecnewbie.com -l 500 -b google

IP addresses from subdomains

for i in $(cat subdomains.txt); do dig $i | grep -o '[0-9]\{1,3\}\.[0-9]\{1,3\}\.[0-9]\{1,3\}\.[0-9]\{1,3\}' | grep -vE "10.*"; done

Use Virustotal to find subdomains

https://www.virustotal.com

Also you can play about with a nice entity diagram

Read

https://www.bugcrowd.com/blog/discovering-subdomains/

FireFox addon - passive recon

Google hacking

examples here
site:offsecnewbie.com doctype:docx
inurl:/etc/passwd%00 intext:root
also check out doc meta info, ie doc creator, where doc was stored, created with Office 2010, saved on this network share eg its IP address

also heck out doc meta info, gives info such as where doc was stored - network share ip address, who created it, what was it created with etc

https://github.com/ElevenPaths/FOCA

Social Media Search

Search for people on social media

/opt/sherlock/sherlock.py

Recon

A giant inventory of recon tools is available via the Skip Tracing Framework

https://makensi.es/stf/

Find information about a device that is connected

List of OSINT Tools

Explore further by these tags:

VOIP communication devices

Database searches

Maritime devices

Files & directories

Explore further by these tags:

Legacy Windows operating systems

Default / generic credentials

Printers

Explore further by these tags:

Compromised devices and websites

Miscellaneous

Favicon - Search in Shodan

Last updated 3 years ago

Was this helpful?

Create a and get someone to click on it.

On device go to

– general search for anything matching the “camera” keyword.

– a general search for any IoT device identified as a webcam that has screenshots available.

– another version of the above search, see how the results might differ?

– webcamXP is one of the most popular and commonly encountered network camera software for Windows OS.

– webcam 7 cameras; not as popular as the above type, but still they are still popular and encountered out there.

– webcams identified as belonging to the webcam remote management and monitoring service.

– UI3 is a HTML5 web interface for Blue Iris mentioned above.

– Canon manufactured megapixel security cameras.

– Yawcam stands for Yet Another WebCAM, free live streaming and webcam software.

– IPCam Client webcam devices.

– GeoVision (GeoHttpServer) Webcams, older webcam software with some had well documented vulnerabilities.

– Vivotek IP cameras.

– access to the Avigilion brand camera and monitoring devices.

– various IP camera and video management system products.

– a UK-based house automation / IP camera provider.

– unsecured Linksys webcams, a lot of them with screenshots.

– another example of an IP-based CCTV system.

– access to the Netwave make IP cameras.

– DVR CCTV cameras accessible via http.

– Linksys WVC80N cameras.

WEBCAM:

CAM:

CAMERA:

– general search for Voice over IP devices.

– more specific search for anything VoIP containing a “phone” keyword.

– Snom is a VoIP provider with some legacy devices online.

– Snom devices with enabled authentication.

– an older VoIP provider, nearly exclusively legacy devices.

– Tandberg is a hardware manufacturer of multi-point control units for video conferencing.

– Polycom is another VoIP communication brand.

– Siemens Openstage brand IP phones.

– some more VoIP services, mostly behind login screens

– VoIP media gateway, commonly used by services such as Patton SN4112 FXO.

– broad search for MySQL databases.

– MongoDB databases on their default port. Unsecured by default.

– another variation of the above search.

– fully open MongoDBs.

– MongoDB open databases.

– Kibana dashboards accessible without authentication.

– Elasticsearch open databases.

– remote connections to PostgreSQL servers.

– Apache CouchDB databases listed.

– vulnerable CouchDB where remote code execution may be possible.

Explore further by the DATABASE tag: Database searches

– broad search for MySQL databases.

– MongoDB databases on their default port. Unsecured by default.

– another variation of the above search.

– fully open MongoDBs.

– MongoDB open databases.

– Kibana dashboards accessible without authentication.

– Elasticsearch open databases.

– remote connections to PostgreSQL servers.

– Apache CouchDB databases listed.

– vulnerable CouchDB where remote code execution may be possible.

Explore further by the DATABASE tag:

– general search for anything related to maritime devices.

– another wide search, could yield unrelated results!

– general search; Marlink is the world’s largest maritime satellite communications provider.

– another maritime satellite communications services provider.

– as above, but a slightly less known equipment vendor.

– abbreviation for “very-small-aperture terminal”, a data transmitter / receiver commonly used by maritime vessels.

– abbreviation for Electronic Chart Display and Information Systems, used in navigation and autopilot systems.

– satellite network router without a password.

– maritime radio and locations systems.

– maritime mission control software.

Explore further by the VSAT tag:

– open lists of files and directories on various servers.

– slight variation of the above, note how the results might differ.

– FTP resources potentially accessible without login credentials.

– anonymous login allowed to FTP resources.

– as above.

– legacy Linux based FTP service with a widely known security vulnerability

– Network Data Management Protocol (NDMP), used for backup of network-attached storage (NAS) devices.

– SMB file sharing

– default settings for sharing QuickBooks files.

– popular file sharing software Filezilla.

FTP:

SMB:

– Windows 2000; support ended in 2010.

– Windows XP; support ended in 2014.

– Windows Server 2003; support ended in 2015.

– Windows Vista; support ended in 2017.

– Windows Server 2008; support ended in 2020.

– Windows 7; support ended in 2020.

– Windows 8; support ended in 2016.

– Windows Home Server 2011; support ended in 2016.

– Windows 8.1; support ended in 2018.

– Windows Server 2012; support ended in 2018.

Explore further by the WINDOWS tag:

– basic very unsecure credentials.

– speaks for itself…

– generic test credentials over HTTP.

– no authentication necessary.

“ – accounts already logged in with root privilege over Telnet, port 23.

– remote access via Telnet, no password required.

– default login pages for routers.

– possible authentication bypass to Polycom devices.

– VNC services without authentication.

– Bomgar remote support service.

Explore further by the VNC tag:

– general search for printers.

– HP LaserJet printers accessible through HTTP.

– older Samsung printers, not secured by default.

– admin pages of Brother printers, not secured.

– HP printers that can be restarted remotely via port 161.

– open access via Telnet to printers without set passwords.

– printers accessible via FTP with anonymous login allowed.

– access to control panels for Lexmark make printers.

– HTTP accessible Epson printers.

– another variation of the above search.

– remote access to Xerox printers.

– Canon printer servers through HTTP connection.

PRINTER:

PRINTERS:

PRINT SERVER:

– general search for the ‘hacked’ label.

– another variation of the above search.

– another variation of the same search filter.

– resourced labelled as ‘owned’ by a threat agent, hacker group, etc.

– compromised routers, labelled accordingly.

– databases affected by ransomware, with the ransom demand still associated with them.

– searches for the ‘bitcoin’ keyword, where a screenshot is present (useful for RDP screens of endpoints infected with ransomware).

– compromised legacy operating systems. Port 4444 is the default port for Meterpreter – a Metasploit attack payload with an interactive shell for remote code execution.

– ransomware infected RDP services.

– compromised hosts with the name changed to that phrase.

– compromised FTP servers.

Explore further by the HACKED tag:

– controls for solar panels and similar solar devices.

– Ethereum cryptocurrency miners.

– misconfigured WordPress websites.

– searches for Nordex wind turbine farms.

– EIG electricity meters.

– DICOM medical machinery.

– anything with the term “Tesla” in the banner.

– petrol pumps, including their physical addresses.

– literally anything labelled ‘dashboard’, with many not accessible due to security by default.

– as above, but whatever is labelled as control panels.

https://grabify.link/
https://www.deviceinfo.me/
title:camera
webcam has_screenshot:true
has_screenshot:true IP Webcam
server: webcampxp
server: “webcam 7”
title:”blue iris remote view”
Blue Iris
title:”ui3 -“
title:”Network Camera VB-M600″
product:”Yawcam webcam viewer httpd”
title:”IPCam Client”
server: GeoHttpServer
server: VVTK-HTTP-Server
title:”Avigilon”
ACTi
WWW-Authenticate: “Merit LILIN Ent. Co., Ltd.”
title:”+tm01+”
server: “i-Catcher Console”
Netwave IP Camera Content-Length: 2574
200 ok dvr port:”81″
WVC80N
https://www.shodan.io/explore/tag/webcam
https://www.shodan.io/explore/tag/cam
https://www.shodan.io/explore/tag/camera
device:”voip”
device:”voip phone”
server: snom
“snom embedded 200 OK”
AddPac
mcu: tandberg
title:”polycom”
title:”openstage”
39 voip
Server: MSOS/2.0 mawebserver/1.1
product:MySQL
mongodb port:27017
“MongoDB Server Information” port:27017
“MongoDB Server Information { “metrics”:”
“Set-Cookie: mongo-express=” “200 OK”
kibana content-length:217
port:”9200″ all:elastic
port:5432 PostgreSQL
product:”CouchDB”
port:”5984″+Server: “CouchDB/2.1.0”
https://www.shodan.io/explore/tag/database
product:MySQL
mongodb port:27017
“MongoDB Server Information” port:27017
“MongoDB Server Information { “metrics”:”
“Set-Cookie: mongo-express=” “200 OK”
kibana content-length:217
port:”9200″ all:elastic
port:5432 PostgreSQL
product:”CouchDB”
port:”5984″+Server: “CouchDB/2.1.0”
https://www.shodan.io/explore/tag/database
maritime
sailor
org:marlink
satcom
inmarsat
vsat
ECDIS
uhp vsat terminal software -password
ssl:”Cobham SATCOM”
title:”Slocum Fleet Mission Control”
https://www.shodan.io/explore/tag/vsat
http.title:”Index of /”
port:80 title:”Index of /”
“220” “230 Login successful.” port:21
230 ‘anonymous@’ login ok
“Anonymous+access+allowed” port:”21″
vsftpd 2.3.4
ftp port:”10000″
“Authentication: disabled” port:445 product:”Samba”
“QuickBooks files OverNetwork” -unix port:445
filezilla port:”21″
https://www.shodan.io/explore/tag/ftp
https://www.shodan.io/explore/tag/smb
os:”Windows 5.0″
os:”Windows 5.1″
os:Windows 2003
os:”Windows Vista”
os:Windows 2008
os:”Windows 7″
os:”Windows 8″
os:Windows 2011
os:”Windows 8.1″
os:Windows 2012
https://www.shodan.io/explore/tag/windows
admin 1234
“default password”
test test port:”80″
“authentication disabled” “RFB 003.008”
root@” port:23 -login -password -name -Session
port:23 console gateway
html:”def_wirelesspassword”
“polycom command shell”
“authentication disabled” port:5900,5901
“server: Bomgar” “200 OK”
https://www.shodan.io/explore/tag/vnc
printer
“HP-ChaiSOE” port:”80″
title:”syncthru web service”
“Location: /main/main.html” debut
port:161 hp
port:23 “Password is not set”
“Laser Printer FTP Server”
Printer Type: Lexmark
http 200 server epson -upnp
“Server: EPSON-HTTP” “200 OK”
ssl:”Xerox Generic Root”
“Server: CANON HTTP Server”
https://www.shodan.io/explore/tag/printer
https://www.shodan.io/explore/tag/printers
https://www.shodan.io/explore/tag/print%20server
hacked
“hacked by”
http.title:”Hacked by”
http.title:”0wn3d by”
“HACKED-ROUTER”
port:”27017″ “send_bitcoin_to_retrieve_the_data”
bitcoin has_screenshot:true
port:4444 system32
“attention”+”encrypted”+port:3389
“HACKED-ROUTER-HELP-SOS-HAD-DEFAULT-PASSWORD”
“HACKED FTP server”
https://www.shodan.io/explore/tag/hacked
solar
“ETH – Total speed”
http.html:”* The wp-config.php creation script uses this file”
http.title:”Nordex Control”
“Server: EIG Embedded Web Server” “200 Document follows”
“DICOM Server Response” port:104
http.title:”Tesla”
“in-tank inventory” port:10001
http.title:”dashboard”
http.title:”control panel”
https://github.com/sansatart/scrapts/blob/master/shodan-favicon-hashes.csv
LogoToolsstart.me
Logocommandergirl&#39;s suggestionsstart.me
LogoUltimate OSINT with Shodan: 100+ great Shodan queriesosintme.com