Passive Information Gathering for Pentesting
Information gathering very important for pentester.
There are 2 types of information gathering.
1.active information gathering
2.passive information gathering
I will talk about the passive information gathering in this blog.
How to doing passive information gathering?
Passive information gathering helps public information collect without interacting with the system.
- Google(dorks),google operators
I have shared google dorks before.You can access it from this link.
2.Crt.sh -(https://crt.sh/)
Cert.sh is for checking a website’s security certificates.
3.Whois
Whois is a widely used database search tool used to discover domain name information and IP address information about a company. The domain name information sometimes contains important contact information of senior IT professionals that you can use in a social engineering attack, while the IP information is the public IP addresses purchased by the company.
You can access Whois services from the following sites:
https://whois.domaintools.com/
example:
Also used on kali linux.
4.Shodan-(https://www.shodan.io/)
Shodan is a search engine that collects information about systems connected to the internet, such as servers and internet of things (IoT) devices.
5.Censys -(https://search.censys.io/)
Censys is another browser-based search engine that identifies hosts on the internet for a particular organization. In addition to identifying the hosts, Censys will also identify the services and ports that are open on those systems.
6.Hunter.io -(https://hunter.io/)
hunter.io shows the mailing addresses of some people working at the target company.
7.Builtwith -(https://builtwith.com/)
butilwith collects technology information at the target company.
8.Wigle.net -(https://wigle.net/)
wigle.net is wifi search motor.
9.theharvester
theharvester collects information such as domain, subdomain email using Google, LinkedIn, Twitter and Bing.
theharvester -d google.com -l 5 -b google.com
- d -target
- -b source
- -l limit
10. Osint framework -(https://osintframework.com/)
OSINT Framework is a website where you can use the “passive information collection tool. You can access the passive information collection package in this category with any of the categories found on the website.
11. Peek you -(https://www.peekyou.com/)
this is a human search engine.
12.DIG
dig will let you perform any valid DNS query, the most common of which are:
A (the IP address),
TXT (text annotations),
MX (mail exchanges),
NS nameservers
dig google.com
dig google.com NS
dig google.com MX
dig google.com TXT
dig google.com AAA
