On Cyber War
TwitterGitHubLinkedIn
  • Welcome
  • Source Zero Con References
  • 1. Reconnaissance/ OSINT
    • Information gathering
    • OSINT tools
    • Search Engine OSINT
    • Sock puppets
  • 2. Scanning
    • Host discovery
    • Port Scanning with Nmap
    • Nmap Scripting Engine
  • 3. Enumeration
    • 21 - FTP
    • 22 - SSH
    • 25 - SMTP
    • 53 - DNS
    • 80/443 - HTTP(s)
    • 111 - NFS
    • 135 - RPC
    • 139/445 - NetBIOS/SMB
    • 161 (UDP) - SNMP
    • Wordpress
    • Finger (Solaris)
    • Active Directory
  • 4. Exploitation
    • Public exploits
    • Web application attacks
      • Command injection
      • Cross site scripting
      • Directory traversal
      • File inclusion
      • SQL injection
    • Password attacks
    • Buffer overflows
    • Active Directory
    • Metasploit
  • 5. Maintaining access
    • Upgrading simple shells
    • Reverse shells
    • MSFvenom
    • File transfers
    • Linux privilege escalation
    • Windows privilege escalation
    • Tunneling/Port Forwarding
  • 6. Miscellaneous
    • Connections
  • 7. Walkthroughs
    • HTB - Blunder
    • HTB - Haircut
    • THM -HackPark
Powered by GitBook
On this page
  1. 1. Reconnaissance/ OSINT

Information gathering

PreviousSource Zero Con ReferencesNextOSINT tools

Last updated 2 years ago

Information gathering is one of the first steps during an engagement. The goal of information gathering is to increase understanding of the target infrastructure, business practices, and information available via open source. The information gathered during this step are used to inform later stages of the engagement.

The following is a sample checklist for researching a target.

Review the target's public facing website and social media accounts

  • What does the target do?

  • How is the organization structured?

  • Take note of contact information for key personnel (leadership/management, IT personnel, etc.)

  • Collect phone and fax numbers, email addresses, usernames, position titles, pictures, etc.

  • Identify email address structures used by the target.

  • Identify internal business practices.

  • Pay particular attention to "about" pages, as these often contain names, social media links, and email addresses.

Use basic tools to gain additional information about the target's network

  • Perform and enumeration to identify target registrar and DNS information

  • Use and to attempt to identify technologies used by the target

  • Use to search for additional internet connected computers and devices

  • Used to scrape metadata from the target domain(s)

  • Use to analyze SSL configuration

  • Check security headers with

  • Check open job postings for mentions of specific technologies

Gather information about target personnel

Check public repositories for additional target information

  • GitHub, GitLab, SourceForge, Pastebin

Harvest usernames - use tools like , , and to search target domain for usernames, emails, etc.

Use to profile identified personnel

DNS
Google Dorks
SSL server test
securityheaders.com
Hunter.io
phonebook.cz
whois
Netcraft
Shodan
FOCA
theHarvester
social media tools