Passive (OSINT)
Last updated
Last updated
Source Identification: as the starting point, in this initial phase the attacker identifies potential sources from which information may be gathered from. Sources are internally documented throughout the process in detailed notes to come back to later if necessary.
Data Harvesting: in this phase, the attacker collects and harvests information from the selected sources and other sources that are discovered throughout this phase.
Data Processing and Integration: during this phase, the attacker processes the harvested information for actionable intelligence by searching for information that may assist in enumeration.
Data Analysis: in this phase, the attacker performs data analysis of the processed information using OSINT analysis tools.
Results Delivery: in the final phase, OSINT analysis is complete and the findings are presented/reported to other members of the Red Team.
also named Google dorking, is a hacker technique that uses Google Search and other Google applications to find security holes in web applications, finding loots, targeting databases, login pages or even exposed backup files and directories.
Bug Bounty Dorks
Backlinks
CMS Dorks
besides the google dorks which are more advanced, there are some google search tricks (keywords) that will make your life easier. these are the keywords used in advanced google searches:
If you include other words in the query, Google will highlight those words within the cached document. For instance, [cache:www.google.com web] will show the cached content with the word โwebโ highlighted. This functionality is also accessible by clicking on the โCachedโ link on Googleโs main results page. The query [cache:] will show the version of the web page that Google has in its cache. For instance, [cache:www.google.com] will show Googleโs cache of the Google homepage. Note there can be no space between the โcache:โ and the web page url.
The query [link:] will list webpages that have links to the specified webpage. For instance, [link:www.google.com] will list webpages that have links pointing to the Google homepage. Note there can be no space between the โlink:โ and the web page url.
related:
The query [related:] will list web pages that are โsimilarโ to a specified web page. For instance, [related:www.google.com] will list web pages that are similar to the Google homepage. Note there can be no space between the โrelated:โ and the web page url.
The query [info:] will present some information that Google has about that web page. For instance, [info:www.google.com] will show information about the Google homepage. Note there can be no space between the โinfo:โ and the web page url.
The query [define:] will provide a definition of the words you enter after it, gathered from various online sources. The definition will be for the entire phrase entered (i.e., it will include all the words in the exact order you typed them).
If you begin a query with the [stocks:] operator, Google will treat the rest of the query terms as stock ticker symbols, and will link to a page showing stock information for those symbols. For instance, [stocks: intc yhoo] will show information about Intel and Yahoo. (Note you must type the ticker symbols, not the company name.)
If you include [site:] in your query, Google will restrict the results to those websites in the given domain. For instance, [help site:www.google.com] will find pages about help within www.google.com. [help site:com] will find pages about help within .com urls. Note there can be no space between the โsite:โ and the domain.
**** If you start a query with [allintitle:], Google will restrict the results to those with all of the query words in the title. For instance, [allintitle: google search] will return only documents that have both โgoogleโ and โsearchโ in the title.
If you include [intitle:] in your query, Google will restrict the results to documents containing that word in the title. For instance, [intitle:google search] will return documents that mention the word โgoogleโ in their title, and mention the word โsearchโ anywhere in the document (title or no). Note there can be no space between the โintitle:โ and the following word. Putting [intitle:] in front of every word in your query is equivalent to putting [allintitle:] at the front of your query: [intitle:google intitle:search] is the same as [allintitle: google search].
If you include [inurl:] in your query, Google will restrict the results to documents containing that word in the url. For instance, [inurl:google search] will return documents that mention the word โgoogleโ in their url, and mention the word โsearchโ anywhere in the document (url or no). Note there can be no space between the โinurl:โ and the following word. Putting โinurl:โ in front of every word in your query is equivalent to putting โallinurl:โ at the front of your query: [inurl:google inurl:search] is the same as [allinurl: google search].
OR : ( | )
AND: (&)
NOT
define : define a word or phrase
we can use github advanced search keywords and dorks to find sensitive data in repositories.
some examples of github search keywords:
Web server type
Web application dev environment
Firewall type
Routers
site: [ companydomain ] careers Q , Keyword or Title 9
site: [ companydomain ] jobs .
site: [ companydomain ] openings
Also, searches of job-related site
Organizations maintain servers that provide public PGP keys to clients. You can query these to reveal user email addresses and details.
some tips to find real IP addresses hiding behind CloadFlare and Tor
see if a single server or ip is hosting multiple websites/domains:
here the keywords that are mostly used in shodan search queries:
for example these are some queries you can use with these keywords:
there are several other ways to use the search engine without the website for example with the nmap NSE scripts like this:
there is also a CLI shodan interface written in python for linux which you can use or integrate in your own scripts or tools. to install and setup the CLI tool:
you can use the CLI tool by simply specifying a single host/IP:
shodan will return ports, services and even some possible CVEs ( which are not very reliable ).
and here are some other useful resources about shodan:
Tools and resources for credential leaks available online:
I have put together a list of the most used OSINT sources that will usually cover about 90% of your needs in a regular pentest. remember there are endless ways to find Intel about your target. the OSINT process is limited to your own imagination.
scholar.google.com
arxiv.org
guides.library.harvard.edu
deepdotweb.com
Core.onion
OnionScan
Tor Scan
ahmia.fi
not evil
Google Alerts
HaveIBeenPwned.com
Dehashed.com
Spycloud.com
Ghostproject.fr
weleakinfo.com/
a well-known tool among pentesters and OSINT investigators which is mostly good for collecting subdomains and email addresses.
harvester is preinstalled on pentesting OSs like kali and parrot but for others you can install it from github and run it in docker:
An email OSINT and breach hunting tool using different breach and reconnaissance services, or local breaches such as Troy Hunt's "Collection1" and the infamous "Breach Compilation" torrent.
a tool to help find potentially sensitive files pushed to public repositories on Github. Gitrob will clone repositories belonging to a user or organization down to a configurable depth and iterate through the commit history and flag files that match signatures for potentially sensitive files. The findings will be presented through a web interface for easy browsing and analysis.
LinkedIn enumeration tool. preinstalled on kali.
In-depth Attack Surface Mapping and Asset Discovery, preinstalled on kali. The OWASP Amass Project performs network mapping of attack surfaces and external asset discovery using open source information gathering and active reconnaissance techniques.
run the help to see the options:
an open source intelligence (OSINT) automation tool. It calmes to integrate with just about every data source available and utilities a range of methods for data analysis, making that data easy to navigate.
By far, the best recon framework out there with both active and passive modules. designed like metasploit framework and each type of recon has its own specific module and options. the modules are installed from the "marketplace" plus a bunch of reporting modules for different formats. recon-ng is preinstalled on kali linux and parrot OS.
you can see the full ocumentation in the wiki:
here are some of the useful commands for a quick start:
to install all recon modules at once:
some modules need api keys add it with :
a list of modules i usually use:
find user accounts on social media
advanced Twitter scraping tool written in Python that allows for scraping Tweets from Twitter profiles without using Twitter's API.
for analyzing and finding a person's profile across +800 social media websites
is a great collection of OSINT resources that you should definitely check them out.
is an open source intelligence (OSINT) and graphical link analysis tool for gathering and connecting information for investigative tasks. its preinstalled in kali linux. you can download it from
Wordpress
Magento
Joomla
Search engine for the Internet of everything. Shodan is the world's first search engine for Internet-connected devices including computers, servers, CCTV cameras, SCADA systems and everything that is connected to the internet with or without attention. Shodan can be used both as a source for gathering info about random targets for mass attacks and a tool for finding weak spots in a large network of systems to attack and take the low-hanging fruit. Shodan has a free and commercial membership and is accessible at . the search syntax in the search engine is somehow special and can be found in the help section of the website. with shodan you can search for specific systems, ports, services, regions and countries or even specific vulnerable versions of a software or OS service running on systems like SMB v1 and much more.
