Active and passive reconnaissance
Passive reconnaissance
Passive reconnaissance doesn’t include using actual pentesting utils, but rather is an analysis of what the organization looks like from within. The good start is to google as much information as you can about the target. You can search for job openings, financial reports, office photos. Especially useful information can be found on LinkedIn, Glassdoor, and the company’s blog.
Passive reconnaissance tools
Web:
- crt.sh analyzes website certificates and shows you all subdomains attached (e.g. you can learn the company’s less secure development environment)
- hunter.io searches known emails with a company’s domain
- crunchbase.com has a ton of information about companies and employees
- HaveIBeenPwned provides you information about company’s emails that been hacked
- theharvester collects target’s footprint on the web using most of the popular search engines
CLI:
- sherlok searches social networks by a specific username(s)
- tensorflow-1.4-billion-password-analysis is a list of vulnerable passwords that are searchable by email domain
Active reconnaissance
Active reconnaissance is performed on a target company’s website or network directly.
Active reconnaissance tools
CLI:
- dig, nmap, nslookup, dnsrecon, netcat for network analysis
- bluto for DNS lookup and multiple other recon activities