General objectives

• Iden­ti­fy IP address­es and Domains and subnets
• Iden­ti­fy 3rd-Par­ty sites and their relationships
• Iden­ti­fy people
• Iden­ti­fy technologies
• Iden­ti­fy con­tent of interest
• Iden­ti­fy vulnerabilities

Organizing template

• Orga­ni­za­tion
  • Goals
  • Merg­ers and Acquisitions
  • Projects and Products
  • News
• Infra­struc­ture
  • IPs
  • Host­names
  • Used soft­ware
  • Used hard­ware
• Employ­ees
  • User­names
  • Emails
  • Roles
  • Breached cre­den­tials

Web ressources

• Hunter.io
  • Search engine for email address­es for domains.
• build­With
  • Crawler for detect­ing used tech­nolo­gies on a website.
• Google Hack­ing
• Whois Enu­mer­a­tion
• Net­craft
• Source code / repos­i­tor analy­sis (e.g. Github)
• Shodan (!) If you access Shodan via IPv6, they could lat­er scan this net­work and neigh­bour hosts to detect IPv6 systems.
• Securityheaders.com
• Qualys SSL Test

Tools

• Spi­der­foot
  • Aggre­ga­tion tool for many ser­vices. Web-based. Let it run for a while.
  • Usage:
    git clone https://github.com/smicallef/spiderfoot.git
sudo python3 ./sf.py -l 127.0.0.1:7777
• the­Har­vester
  • Aggre­ga­tion tool for many services.
  • Usage:
    python3 theHarvester.py -d $target_domain -b google
• p0f: Pas­sive OS fingerprinting

Notes

• Search for files of your tar­get. E.g. doc files from the organ­i­sa­tion and analyse meta data to get insights into OS/Software versions.