Discover as much about the target without revealing your IP address
Netcraft.com
Finds underlying OS, web server version uptime
Find subdomains
Sometimes SSL is a goldmine of information
crt.sh
#!/bin/bash
# a basic script to pull information from crt and present it
# example ./crt.sh offsecnewbie.com
# author rowbot
if [[ $# -eq 0 ]] ;
then
echo "Usage: ./crt.sh domain. Also you might have to install jq - 'apt get install jq'"
exit 1
else
curl -s https://crt.sh/\?q\=\%.$1\&output\=json | jq -r '.[].name_value' | sed 's/\*\.//g' | sort -u > $1
fi
If you can't get jq installed - try this script
#!/bin/bash
# a basic script to pull information from crt and present it
# example ./crt.sh offsecnewbie.com
# author rowbot
if [[ $# -eq 0 ]] ;
then
echo "Usage: ./crt.sh domain"
exit 1
else
curl -s "https://crt.sh/?q=%.$1" -o rawdata; cat rawdata | grep "<TD>" | grep -vE "style" | cut -d ">" -f 2 | grep -Po '.*(?=....$)' | sort -u | grep -v "*" > $1
fi
Compare subdomains found using theHavester with crt.sh script as some will be missing - not all domains have ssl.
theHarvester -d offsecnewbie.com -l 500 -b google
IP addresses from subdomains
for i in $(cat subdomains.txt); do dig $i | grep -o '[0-9]\{1,3\}\.[0-9]\{1,3\}\.[0-9]\{1,3\}\.[0-9]\{1,3\}' | grep -vE "10.*"; done
Use Virustotal to find subdomains
https://www.virustotal.com
Also you can play about with a nice entity diagram
examples here
site:offsecnewbie.com doctype:docx
inurl:/etc/passwd%00 intext:root
also check out doc meta info, ie doc creator, where doc was stored, created with Office 2010, saved on this network share eg its IP address
also heck out doc meta info, gives info such as where doc was stored - network share ip address, who created it, what was it created with etc
https://github.com/ElevenPaths/FOCA
Social Media Search
Search for people on social media
/opt/sherlock/sherlock.py
Recon
A giant inventory of recon tools is available via the Skip Tracing Framework
https://makensi.es/stf/
Find information about a device that is connected
List of OSINT Tools
Explore further by these tags:
VOIP communication devices
Database searches
Maritime devices
Files & directories
Explore further by these tags:
Legacy Windows operating systems
Default / generic credentials
Printers
Explore further by these tags:
Compromised devices and websites
Miscellaneous
Favicon - Search in Shodan
Last updated
Was this helpful?
Create a and get someone to click on it.
On device go to
– general search for anything matching the “camera” keyword.
– a general search for any IoT device identified as a webcam that has screenshots available.
– another version of the above search, see how the results might differ?
– webcamXP is one of the most popular and commonly encountered network camera software for Windows OS.
– webcam 7 cameras; not as popular as the above type, but still they are still popular and encountered out there.
– webcams identified as belonging to the webcam remote management and monitoring service.
– UI3 is a HTML5 web interface for Blue Iris mentioned above.
– Canon manufactured megapixel security cameras.
– Yawcam stands for Yet Another WebCAM, free live streaming and webcam software.
– IPCam Client webcam devices.
– GeoVision (GeoHttpServer) Webcams, older webcam software with some had well documented vulnerabilities.
– Vivotek IP cameras.
– access to the Avigilion brand camera and monitoring devices.
– various IP camera and video management system products.
– a UK-based house automation / IP camera provider.
– unsecured Linksys webcams, a lot of them with screenshots.
– another example of an IP-based CCTV system.
– access to the Netwave make IP cameras.
– DVR CCTV cameras accessible via http.
– Linksys WVC80N cameras.
WEBCAM:
CAM:
CAMERA:
– general search for Voice over IP devices.
– more specific search for anything VoIP containing a “phone” keyword.
– Snom is a VoIP provider with some legacy devices online.
– Snom devices with enabled authentication.
– an older VoIP provider, nearly exclusively legacy devices.
– Tandberg is a hardware manufacturer of multi-point control units for video conferencing.
– Polycom is another VoIP communication brand.
– Siemens Openstage brand IP phones.
– some more VoIP services, mostly behind login screens
– VoIP media gateway, commonly used by services such as Patton SN4112 FXO.
– broad search for MySQL databases.
– MongoDB databases on their default port. Unsecured by default.
– another variation of the above search.
– fully open MongoDBs.
– MongoDB open databases.
– Kibana dashboards accessible without authentication.
– Elasticsearch open databases.
– remote connections to PostgreSQL servers.
– Apache CouchDB databases listed.
– vulnerable CouchDB where remote code execution may be possible.
Explore further by the DATABASE tag: Database searches
– broad search for MySQL databases.
– MongoDB databases on their default port. Unsecured by default.
– another variation of the above search.
– fully open MongoDBs.
– MongoDB open databases.
– Kibana dashboards accessible without authentication.
– Elasticsearch open databases.
– remote connections to PostgreSQL servers.
– Apache CouchDB databases listed.
– vulnerable CouchDB where remote code execution may be possible.
Explore further by the DATABASE tag:
– general search for anything related to maritime devices.
– another wide search, could yield unrelated results!
– general search; Marlink is the world’s largest maritime satellite communications provider.
– another maritime satellite communications services provider.
– as above, but a slightly less known equipment vendor.
– abbreviation for “very-small-aperture terminal”, a data transmitter / receiver commonly used by maritime vessels.
– abbreviation for Electronic Chart Display and Information Systems, used in navigation and autopilot systems.
– satellite network router without a password.
– maritime radio and locations systems.
– maritime mission control software.
Explore further by the VSAT tag:
– open lists of files and directories on various servers.
– slight variation of the above, note how the results might differ.
– FTP resources potentially accessible without login credentials.
– anonymous login allowed to FTP resources.
– as above.
– legacy Linux based FTP service with a widely known security vulnerability
– Network Data Management Protocol (NDMP), used for backup of network-attached storage (NAS) devices.
– SMB file sharing
– default settings for sharing QuickBooks files.
– popular file sharing software Filezilla.
FTP:
SMB:
– Windows 2000; support ended in 2010.
– Windows XP; support ended in 2014.
– Windows Server 2003; support ended in 2015.
– Windows Vista; support ended in 2017.
– Windows Server 2008; support ended in 2020.
– Windows 7; support ended in 2020.
– Windows 8; support ended in 2016.
– Windows Home Server 2011; support ended in 2016.
– Windows 8.1; support ended in 2018.
– Windows Server 2012; support ended in 2018.
Explore further by the WINDOWS tag:
– basic very unsecure credentials.
– speaks for itself…
– generic test credentials over HTTP.
– no authentication necessary.
“ – accounts already logged in with root privilege over Telnet, port 23.
– remote access via Telnet, no password required.
– default login pages for routers.
– possible authentication bypass to Polycom devices.
– VNC services without authentication.
– Bomgar remote support service.
Explore further by the VNC tag:
– general search for printers.
– HP LaserJet printers accessible through HTTP.
– older Samsung printers, not secured by default.
– admin pages of Brother printers, not secured.
– HP printers that can be restarted remotely via port 161.
– open access via Telnet to printers without set passwords.
– printers accessible via FTP with anonymous login allowed.
– access to control panels for Lexmark make printers.
– HTTP accessible Epson printers.
– another variation of the above search.
– remote access to Xerox printers.
– Canon printer servers through HTTP connection.
PRINTER:
PRINTERS:
PRINT SERVER:
– general search for the ‘hacked’ label.
– another variation of the above search.
– another variation of the same search filter.
– resourced labelled as ‘owned’ by a threat agent, hacker group, etc.
– compromised routers, labelled accordingly.
– databases affected by ransomware, with the ransom demand still associated with them.
– searches for the ‘bitcoin’ keyword, where a screenshot is present (useful for RDP screens of endpoints infected with ransomware).
– compromised legacy operating systems. Port 4444 is the default port for Meterpreter – a Metasploit attack payload with an interactive shell for remote code execution.
– ransomware infected RDP services.
– compromised hosts with the name changed to that phrase.
– compromised FTP servers.
Explore further by the HACKED tag:
– controls for solar panels and similar solar devices.
– Ethereum cryptocurrency miners.
– misconfigured WordPress websites.
– searches for Nordex wind turbine farms.
– EIG electricity meters.
– DICOM medical machinery.
– anything with the term “Tesla” in the banner.
– petrol pumps, including their physical addresses.
– literally anything labelled ‘dashboard’, with many not accessible due to security by default.
– as above, but whatever is labelled as control panels.
