Hacking Phase 1 - Reconnaissance Phase

SUBMITTED BY: DevilDawg

DATE: July 27, 2021, 9:21 p.m.

FORMAT: Text only

SIZE: 28.1 kB

Raw Download

HITS: 1830

Report
  1. RECONNAISSANCE
  2. The Reconnaissance phase, aka Footprinting, is the most important phase. This is the phase where you gather all the information on your target. What can possibly make or break your success is in this stage. If you take the first idea that pops in your head and attack your target, you will most likely fail. In this phase you will need to spend months gathering data on your target to find a vulnerability and be successful. You will need to perfect this skill to be a ethical hacker.
  4. Active Reconnaissance - in this search you directly interact with the computer system to gain information. This type of information gathering will leave your digital footprint to be traced back to you. If at all possibly try and avoid this type of scanning.
  5. Passive Reconnaissance - this type of search you are not directly interacting with the target. This way you don't leave any foot prints that will lead back to you and get you in trouble.
  7. Organizations has a plethora of information available on the web, you just have to know how to search for it. This first trick I am going to discuss will be a passive attack and it does not work on every web browser. First go to google's main page, if your using another browser like duckduckgo, and in the search bar type in "football", your first link should be NFL. Look for the web address, www.nfl.com, now just to the right of the address will be a drop down arrow. Click the arrow and you will see the word "cached", click the word and now you can search the website passively without leaving any footprints. If you click any links on that cached page you will go to a live site and leave a footprint. The next passive attack I will discuss will be cloning a website. Kali and other apps will let you clone the website and then go offline to do research. This way you are not actively interacting with the website, you are scanning a copy of it and your offline. If you did not know about it google has web crawlers that scan every website, unless blocked by the robots.txt, and keeps a copy in archives. You can access these archives and research more on your target without leaving any traces.
  9. Google Cached Page - Google Cache is normally referred as the copies of the web pages cached by Google. Google crawls the web and takes snapshots of each page as a backup just in case the current page is not available. (https://cachedview.com/)
  11. Archive.org Cache - The Archive.org, also known as Wayback Machine, is a digital archive of the World Wide Web and other information on the Internet created by the Internet. The service enables users to see archived versions of web pages across time, which the Archive calls a three dimensional index.
  13. You can use either of these to research your target without getting in trouble. If you saw something listed on a website and the next day it is gone you can go to the archive and examine it further in depth. There are many ways to use this technique to your advantage.
  14. During the recon phase you will be gathering information on the company, employers and third party vendors. Here are some things you will need to search on your target.
  16. Information gathering about the target:
  17. Most important I.P. gathering
  18. Search public information, gather as much info without sending a single packet
  19. Physical address
  20. Phone Number
  21. Fax numbers
  22. Email Addresses
  23. Hours of Operation
  24. Business Relations: 3rd Party
  25. Employee Emails/Name
  26. Social Media Connections
  27. News and Announcements - Merges
  28. Job Postings
  29. Job openings (software, Hardware, Network related information)
  31. When researching a company I like to check the job postings first. The company will spill their guts out if you will just take the time to read. Lets examine this job posting:
  32. Responsibilities:
  34. Analyzing network errors or anomalies, as well as specific network performance issues and/or error messages, in order to ensure maximum uptime and service quality and assess trends that may ultimately result in degradation of service
  35. -- Analyze and configure VOIP network traffic to ensure high quality of service and high availability
  36. Formulating and implementing monitoring, policies, procedures and standards relating to network management
  37. -- Manage and work with 3rd party vendors to procure and maintain network devices, assist in cost analysis to ensure highest value to Sage Intacct
  38. Troubleshooting API and other system issues at a per-packet level via packet trace and sniffer analysis, including the troubleshooting of 3rd party data integration services and/or other Web-enabled solutions
  39. Participation in a 24x7 on-call rotation on a periodic basis; this requires functional knowledge of all Sage Intacct network devices, domain controllers, VPN and subsystems outside of the networking layer in order to provide on-call support
  41. Requirements:
  43. -- BS/BA degree, or equivalent work experience, CCNP certification preferred
  44. 5+ years direct experience required in the management and administration of network infrastructure - routers, switches, load balancers, SSL acceleration technology, etc.
  45. -- 5+ years experience with network protocols for routing and access, including but not limited to: BGP, IS-IS, OSPF, RIP, EIGRP, RADIUS, TACACS, STP, etc.
  46. In-depth knowledge of TCP/IP and BGP an absolute requirement
  47. -- Extensive working experience with Cisco ASA 5500 series, Dell N2000 and N3000 switches
  48. Experience with VPN remote access and PTP VPN tunnels
  49. Experience with multi-site routing, peering, and disaster recovery network architectures
  50. Experience with the use and implementation of enterprise monitoring and management frameworks and tools
  51. Experience working in structured change management processes for highly available datacenter networks
  52. -- Familiarity with WiFi standards and experience managing wireless network configurations, Cisco Meraki experience is a plus
  53. Firewall/security experience (ACL, GRE/IPsec tunnels, FWSM, IDSM2, and secure remote access/management practices)
  54. -- Experience with Palo Alto Networks firewalls is a plus
  55. -- Familiar with one or more of the following monitoring tools: Zabbix, Nagios, PRTG or Cacti
  57. Education and Certification Requirements:
  59. Preferred – Bachelor’s degree (computer science, business administration or related field) or equivalent experience
  60. Preferred certifications
  61. Cisco CCNA or CCNP
  62. Palo Alto Networks PCNSE
  65. The second line under responsibilities I placed 2 tick marks by it, the company asks you to be knowledgeable with VOIP. The first thing that pops into my head is Wireshark. Wireshark captures packets as they go across the network and when the company uses VOIP it is turned into a packet and traverses the network. Wireshark will capture that packet and you can listen to the phone conversation.
  67. The next tick mark I made deals with 3rd party vendors. Always check for 3rd party vendors since they have access to the company you are researching. If I want to hack a company and their security is super tight, fort knox, I will attack the 3rd party vendors and then access the company.
  69. The next couple tick marks as you see the company asks for people knowledgeable with Cisco Networking gear. They also go in-depth about what equipment they are using, Cisco ASA 5500 series, Dell N2000 and N3000 switches, so they are telling you right there what they are using.
  71. The 6th tick states familiarity with WIFI and Cisco Meraki is a plus. This tells me I could possibly gain access to their network threw WIFI, and they are using the cloud so I should research the clouds weakness.
  73. The next tick states experience with Palo Alto, which is a used to prevent cyber attacks.
  75. The last tick tells me all the network monitoring tools they use. How nice of them to give me all this information. Now I research each of these ticks in-depth and find weaknesses. Take for example, Nagios monitoring system, go to your web browser and type in "Nagios vulnerabilties", there is 247,000 results. I am sure we can find some good information if we dig deep enough. Right off the bat they talk of Cross Site Scripting(XSS), SQL Injection, Remote Code Execution(RCE) and Privilege Escalation. We will discuss these topics more in-depth at a later time, but just wanted to show you how much information is on the web.
  77. Physical addresses - come in handy when you want to go dumpster diving or digging in the trash. Trash is free game, you can go threw it and the owners can not say a thing, but if they have a fence around their dumpster or their business then you are trespassing. Kevin Mitnick said he went threw AT&T's dumpster and found a bag full of shredded paper. His team took the bag to Starbucks, grabbed some coffee and dug into the bag. After they pieced everything back together, they had each employers name, email and password. Word to the wise, BURN your important documents. You can find a lot of information in dumpsters that can come in handy later on, which ill discuss more on Dumpster Diving later on.
  79. Email addresses - Most companies follow a pattern when dealing with email accounts. Each company can be different so during your research grab a couple different email addresses to study. The thing you are looking for is the format the company uses, Jon Smith@XXXXX or JSmith@XXXXX or is it SmithJ@XXXXX after you figure the pattern out then start a brute force attack on the email account, ill discuss other ways using social engineering later on.
  81. Hours of operation - lets make sure when we start our exploiting stage that workers are not still at work.
  83. Business Relations - find all the 3rd party vendors
  85. Social Media - Check facebook, linkedin, and other social media for information on your target. Check the employers facebook page for information. They might talk about issues at their job or even seen a posting where the I.T. guy said "Have to pull an all nighter, our firewall went down". Thanks for the tip my man.
  87. New and Announcements - Watch for upcoming events that you could attend to gather more information, especially watch for "MERGES", when companies merge they are vulnerable. The network might have issues, company equipment might fail the possibilities are endless. Look how corona has changed so much, "As the Coronavirus pandemic continues to force people to work from home, countless companies are now holding daily meetings using videoconferencing services from Zoom".....ZOOM ? Zoom vulnerabilities ? researcher Mazin Ahmed, who presented his findings at DEF CON 2020, the company also left a misconfigured development instance exposed that wasn't updated since September 2019, indicating the server could be susceptible to flaws that were left unpatched. After Ahmed privately reported the issues to Zoom in April and subsequently in July, the company issued a fix on August 3 (version 5.2.4). Wait did you catch it? read it again...... He told Zoom they was vulnerable to an attack in April and they did not patch the issue till August....so for 4 months Zoom was open game. There are groups you can join, might be for a fee, that receives these issues and usually it takes around a year for the patch to come out. So that says you could find out the companies vulnerabilities and have about a year before they issue a patch.
  90. Some places to do your researching at:
  92. News and Groups
  93. Bulletin Board Systems
  94. Facebook
  95. Instagram
  96. Twitter
  97. LinkedIn
  98. Bing
  99. Dogpile
  100. Google
  101. Yahoo
  102. Webferret - https://download.cnet.com/WebFerret/3000-2379_4-10002998.html
  103. EDGAR - Publicly traded companies ( https://www.sec.gov/edgar.shtml )
  104. groups.google.com
  107. Best People Search:
  109. SwitchBoard ( https://inter800.com/switchboard/ )
  110. GooleFinance ( https://www.google.com/finance )
  111. YahooFinance ( https://finance.yahoo.com/ )
  112. blackbookonline.info ( https://www.blackbookonline.info/ )
  113. Reunion.com
  114. Classmates.com ( https://www.classmates.com/ )
  115. Plaxo.com ( https://en.wikipedia.org/wiki/Plaxo )
  116. Zaba Search ( https://www.zabasearch.com/ )
  117. Spokeo ( https://www.spokeo.com/ )
  118. pipl.com
  119. familytreenow.com
  120. thatsthem.com
  121. luller.com
  124. WARDIALING:
  125. phonenumber.com
  126. 411.com
  127. yellowpages.com
  129. Wardialing - is a technique to automatically scan a list of telephone numbers, usually dialing every number in a local area code to search for modems, computers, bulletin board systems (computer servers) and fax machines. There are to many ways to list all the possibilities with this technique. The major one I will talk about is Fax Machines, this is the place you should attack and hard. Fax machines are sometimes still hooked up to dial up if your old enough to even know what that is. Fax machines has weak securities and in big companies they have employees email addresses and passwords stored. Around 10 years ago I think it was, the terrorists was buying all of the militaries copying machines, come to find out even after erasing the memory you could still pull up all the information the military was scanning, that included social security numbers, addresses and more. Anyone need a Fake Passport, CC, or ID ?
  131. Another thing to research is for an offsite storage building. Major companies store their backup data at another location incase a fire breaks out or a major catastrophe happens. This way the backups will not be damaged and the company can be back up and running in minimal time. The term you might hear or search for is Hot, Warm and Cold Sites. Hot site means it is up and running, Warm site means it can be up in a short time, and Cold site will take awhile for it to get running. These buildings are where the companies store there backup data and usually is not guarded making it a easy target to get information from.
  133. Google Earth to see target:
  134. Google Street car drives around the country recording data, WIFI, MAC addresses ( https://www.google.com/streetview/ )
  136. API at shodanhq.com/research/geomac ----Blackhat 2010 Sammy Kramkars " How I met your girlfriend" ( https://www.wired.com/2015/12/the-greatest-hits-of-samy-kamkar-youtubes-favorite-hacker/ )
  138. This is a older technique, but sometimes still works, Extract DNS - Zone transfers. DNS servers are an excellent target for hackers and penetration testers to gather data from, the information is considered highly valuable to attackers. This contains a full listing of internal IP addresses that belong to our target. We will dig deeper later on.
  140. Go to the companies cloned site, right click the main page and click "view source" and "inspect element". Sometimes people that code the website leaves notes to themselves so they wont forget, but then forgets to remove the notes. Some admins might leave passwords in there or issues they was working on. Every little bit of information will help.
  142. Search for VPN's to connect to companies or individuals
  144. Search for:
  146. Company Resume firewall
  147. Google Resume firewall
  149. So I searched for Chevron Resume Firewall, and it showed me a Resume of a person that worked at Chevron or was applying for a job at Chevron. Study his qualifications, this might tell you more information about what equipment they have at the targets company.
  151. Send a email with a empty .bat file. Once rejected break down the rejection for vendor, version of anti-virus, inspect the header for IP, software brand of email server running
  153. Offline Browser - Teleport Pro - https://en.freedownloadmanager.org/Windows-PC/Teleport-Pro.html
  155. Multiple Search Engines: All-in-one ( https://all-io.net/ ), Dogpile ( https://www.dogpile.com/ ), groups.google.com
  157. Advanced Search in websites - AltaVista ( http://ca-en.altavista.com/ )
  159. Sites to research recent cyber attacks:
  161. https://www.malware.us-cert.gov/MalwareSubmission/pages/submission.jsf
  162. https://www.usa.gov/federal-agencies/computer-emergency-readiness-team
  163. https://nvd.nist.gov/
  164. https://www.securitytracker.com/
  165. https://securiteam.com/
  166. http://www.hackerwatch.org/
  167. https://www.securityfocus.com/
  168. https://www.scmagazine.com/
  169. https://www.w4rri0r.com/vulnerabilities-attacker-surface.html
  170. https://www.wired.com/2015/12/the-greatest-hits-of-samy-kamkar-youtubes-favorite-hacker/
  171. https://owasp.org/www-project-top-ten/
  172. https://www.veracode.com/security/owasp-top-10
  174. Learn how hackers are attacking companies so you can be up to date and learn how to defend it.
  176. I am briefly going to talk about Google-Fu or Google Hacking. Looking up information can take a lot of time and when you hit that enter button on whatever you are researching and it says 565,000 results can be discouraging. So how you list your topics of search in the google search bar determines the result factor. There are ways to cut the results down to a fraction and save yourself a lot of time going threw all the threads.
  178. I chose to research Emmitt Smith:
  180. emmitt smith - About 2,790,000 results
  181. black male/emmitt smith - About 1,390,000 results
  182. Dallas Cowboys/emmitt smith - About 1,130,000 results
  184. So the more information I added google honed in more and I had less results to parse threw. You can narrow it down even further with the right knowledge. Here are some ways to better your research and lower your results.
  186. intitle or allintitle:
  187. intitle - search word is within the title.
  188. allintitle - only return websites that contain all the keywords in the webpage title. Example allintitle:index of *****
  189. URL - inurl:admin - reveals admin or configuraton on targets website
  190. Filetype:PDF
  191. Combine them - site:dsu.edu filetype:PDF
  193. Term Action
  194. filetype: Search for a file by its extension (e.g. PDF)
  195. cache: View Google's Cached version of a specified URL
  196. intitle: The specified phrase MUST appear in the title of the page
  198. Johnny Long has a great book out called "Google Hacking for Penetration Testing" (download for free at pdfdrive.com) or watch the presentation Johnny Long gave at Defcon 13 ( https://www.youtube.com/watch?v=fo1BR9itwOY )
  200. Start researching more indepth on each of these topics and take notes in a composition notebook, they run around a dollar each. I have a notebook for each phase and write everything that I find of value inside them. This way when I engage a target, I pull my notebooks out, run down the lists, fill in the blanks and this makes it so much easier because as we get older and learn more things we forget older things.
  202. Start practicing on overthewire.org, start off with Bandit and complete the 34 stages and then move to the next playground, I think there are 17 playgrounds on overthewire to learn from.
  204. Capture the Flag (CTF) competitions can be rewarding, soul destroying and intimidating all at the same time. I’d strongly recommend getting stuck in and signing up to CTFs as soon as possible. Don’t wait until you’ve mastered a specific skill as CTFs are a brilliant learning resource first and foremost. Set aside time every week to get onto a CTF and treat this time as sacred. Don’t let anything distract you away from this time slot if you can help it!
  205. Consider joining a CTF team to enhance your pool of learning resources. There are always teams looking for new members. The “OpenToAll” team is one that comes to mind, who are now at an astounding 300+ team members.
  207. Here are some tools to research that you will use during the Reconnaissance Phase:
  209. HTTrack - Makes a offline copy of the website
  210. Blackwidow Pro or Wget can extract complete copy of website
  211. The Harvester
  212. Whois.net
  213. Netcraft
  214. Host
  215. NSLookup
  216. Dig
  217. MetaGoofil
  218. SEAT
  219. Maltego
  220. SamSpade
  221. NetScan
  222. GTWhois
  223. XWhois
  224. Archive.org
  225. Trellian
  226. Web Investigator
  227. MyReputation
  228. BiDiBLAH
  229. Big Brother
  230. Advance Administrative Tools
  231. Wikto
  232. ActiveWHois
  233. Spiderfoot
  234. Msr Strider URL Tracer
  235. WTR -Web the Ripper 2
  236. Dirbuster
  237. Wget - Linux/UNix
  238. Teleport Pro - Windows
  239. Athen 2.0
  240. SiteDigger
  241. Traceroute
  243. Search engines for Hackers:
  245. censys.io
  246. shodan.io
  247. viz.greynoise.io
  248. zoomeye.org
  249. netograph.io
  250. wigle.net
  251. intelx.io
  252. fofa.so
  253. hunter.io
  254. haveibeenpwned.com
  256. As we go along we will add more to this phase and discuss the topics more. So do some research, dig into these topics and if you have any questions ask one of us.
  259. Updated 11/24/2020
  260. Username search tools #OSINT
  261. https://t.co/hzHoHiDbFB
  262. https://t.co/6vE7pCI5Q8
  263. https://t.co/0gOGizBPIG
  264. https://t.co/XeS26gkzzu
  265. https://t.co/wMW7nFZCNa
  266. https://t.co/GbmYe47gtO
  267. https://t.co/fEAARCFsAU?
  268. https://t.co/heIvHUWeuQ
  269. https://t.co/mRerIKvDht
  270. https://t.co/qYO1k6TOWx
  271. https://t.co/p4eVgqZixX
  274. https://yandex.com/
  275. http://www.mavetju.org/unix/dnstracer-man.php
  276. https://www.maltego.com/?utm_source=paterva.com&utm_medium=referral&utm_campaign=301
  277. https://null-byte.wonderhowto.com/how-to/use-spiderfoot-for-osint-gathering-0180063/
  278. https://www.spiderfoot.net/
  279. https://hakin9.org/buster-an-advanced-tool-for-email-reconnaissance/
  280. https://hakin9.org/people-tracker-on-the-internet-osint-analysis-and-research-tool/
  281. https://www.entireweb.com/
  282. https://www.lycos.com/
  283. https://www.teoma.com/
  284. https://millionshort.com/
  285. https://www.offensiveosint.io/offensive-osint-s01e01-osint-rdp/
  286. https://www.martinvigo.com/email2phonenumber/
  287. https://www.secjuice.com/artificial-intelligence-ai-and-osint/
  288. https://phonexicum.github.io/infosec/osint.html
  289. https://www.reversephonecheck.com/
  290. https://www.kitploit.com/2020/06/sifter-74-osint-recon-vulnerability.html
  291. https://www.tracelabs.org/initiatives/osint-vm
  292. https://osint.link/
  293. https://www.bellingcat.com/resources/how-tos/2019/12/26/guide-to-using-reverse-image-search-for-investigations/
  294. http://www.faganfinder.com/filetype/
  295. https://www.yippy.com/
  298. https://github.com/jivoi/awesome-osint (EVERYTHING)
  299. https://github.com/Z4nzu/hackingtool (EVERYTHING)
  300. https://github.com/infosecn1nja/Red-Teaming-Toolkit (A TOOL FOR EVERY PHASE)
  302. https://osintframework.com/ (CLICK THE BLUE DOTS)
  305. https://github.com/PaulSec/API-dnsdumpster.com
  306. https://github.com/JoeWrieden/AutomatedOSINT
  307. https://github.com/0xApt/awesome-bbht A bash script that will automatically install a list of bug hunting tools that I find interesting for recon, exploitation, etc. (minus burp) For Ubuntu/Debain.
  308. https://github.com/jakejarvis/awesome-shodan-queries
  309. https://github.com/Cignoraptor-ita/cignotrack
  310. https://github.com/m0rtem/CloudFail
  311. https://github.com/OWASP/D4N155
  312. https://github.com/darkoperator/dnsrecon
  313. https://github.com/ex0dus-0x/doxbox
  314. https://github.com/sandialabs/dr_robot
  315. https://github.com/ChrisTruncer/EyeWitness
  316. https://github.com/thewhiteh4t/FinalRecon
  317. https://github.com/ElevenPaths/FOCA
  318. https://github.com/obheda12/GitDorker
  319. https://github.com/Sachaaaaaa/Grhoth
  320. https://github.com/khast3x/h8mail
  321. https://github.com/m4ll0k/Infoga
  322. https://www.osintcombine.com/instagram-explorer
  323. https://github.com/instant-username-search/instant-username-search
  324. https://github.com/ChrisTruncer/Just-Metadata
  325. https://github.com/pielco11/JungleScam
  326. https://github.com/initstring/linkedin2username
  327. https://github.com/laramies/metagoofil
  328. https://github.com/MISP/MISP-maltego
  329. https://github.com/ninoseki/mitaka
  330. https://github.com/AzizKpln/Moriarty-Project/
  331. https://github.com/HA71/Namechk
  332. https://github.com/th3unkn0n/osi.ig
  333. https://github.com/milo2012/osintstalker
  334. https://github.com/sundowndev/PhoneInfoga https://www.youtube.com/watch?v=WW6myutKBYk https://copycookie.com/phoneinfoga-advanced-information-gathering-osint-framework-for-phone-numbers/
  335. https://github.com/s0md3v/Photon
  336. https://github.com/nethunteros/punter
  337. https://github.com/m8r0wn/pymeta
  338. https://github.com/dchrastil/ScrapedIn
  339. https://github.com/thewhiteh4t/seeker
  340. https://github.com/HA71/sherlock
  341. https://github.com/kpcyrd/sn0int
  342. https://github.com/SpiderLabs/social_mapper
  343. https://github.com/laramies/theHarvester
  344. https://github.com/krmaxwell/tinfoleak
  345. https://github.com/jofpin/trape
  346. https://github.com/Ekultek/WhatBreach
  347. https://github.com/inurlx/XSPID3R
  350. Photo location search #map #geo #OSINT #SEO #infosec
  351. http://oldto.sidewalklabs.com/
  352. http://locationscout.net/
  353. http://shothotspot.com/
  354. http://whatwasthere.com/
  355. http://hotogrammar.yale.edu/
  357. io search engines #osint #seo #infosec #search
  358. http://darksearch.io/ dark web
  359. http://scinapse.io/ academic
  360. http://fnd.io/ itunes & app store
  361. http://redditsearch.io/ reddit
  362. http://filefactory.filesearch.io/ files
  363. http://keywordtool.io/ keywords
  366. https://inteltechniques.com/JE/
  367. https://technisette.com/p/tutorials
  368. https://i-sight.com/resources/101-osint-resources-for-investigators/
  369. http://browsershots.org/
  370. https://www.uk-osint.net/
  373. OSINT YouTube Videos
  374. https://www.youtube.com/watch?v=WW6myutKBYk Using phone numbers to gather info
  375. https://www.youtube.com/watch?v=SMxya-M6KhU Different tools
  376. https://www.youtube.com/watch?v=SvL9bpsY-ZQ Finding info in various ways
  377. https://www.youtube.com/watch?v=DSEGmdzs9Kg DefCon OSINT
  378. https://www.youtube.com/watch?v=RwwpXALAp3I Spiderfoot
  379. https://www.youtube.com/watch?v=d-Ql_WSwF0A MALTEGO
  380. https://www.youtube.com/watch?v=yrOOdq25wMw Sans
  383. Search Tips:
  384. Surround literals with " ", as in "Soc Sec Num"
  385. Add minus (-) to a search term to maximize effectiveness of resulting hits
  386. - Excludes pages with a given word
  387. Search for airline status
  388. - Type in airline and flight number
  389. - Front end for Travelocity
  390. Search for VIN for vehicle information
  391. Search for UPC number for product info
  394. By dumping records from your DNS servers, attackers can determine which machines are accessible on Internet.
  395. Using nslookup, information can be gathered
  396. Type
  398. C:\> nslookup
  399. >server [DNSServer]
  400. >set type=any
  401. >ls -d [domain]
  403. site:sans.org
  404. then:
  405. -www after you look at the results
  406. -isc review the results
  407. -ics review the results
  408. -labs review the results and keep taking away results you dont care to see
  411. "cache:www.counterhack.net"
  413. .bak is backup files that exposes passwords. site:www.[target].com bak
  415. Usa Foca to download all the files you can find on a target. Take a excel document and put a macro in it, email it to the person that created the document and title it "Fix Immediately" , they will open it and fix it not realizing they just clicked a virus, worm, or keylogger.
  417. use index of XXXXXXX to go str8 to their directory and search their files and folders. (site:wafflehouse.com intitle:index.of). Work more on this............................
  418. you can also find remote desktop systems: ext rdp
  419. indexable directories: intitle:index.of"parent directory"
  420. search for ID's and passwords
  421. Video Cameras.... search for inurl:"ViewerFrame?Mode="
  423. pastebin.com go on there and search for userid and passwords, password ngc.com is northrup gruman password list.
  425. shodan will give you the amount of IOT and their IP address
  426. images.shodan.io will give you the images of Remote Desktop Systems that are open to the internet... then in the search bar.....port:5900 will show VNC open to the internet with no paswords needed
  429. shodanhq.com
  430. dnsstuff.com
  431. tracert.com
  432. traceroute.org
  433. network-tools.com
  434. securityspace.com
  439. https://github.com/domssilva/vulnsearch A deep look at some recon methodologies and web-application vulnerabilities of my interest where I will merge all my notes gathered from books, videos, articles and own experience with bug bounty hunting / web and network hacking
  441. https://tools.tldr.run/ bunch of different tools
  442. https://intelx.io/ search database
  443. https://github.com/Err0r-ICA/TORhunter Designed to scan and exploit vulnerabilities within Tor hidden services. TORhunter allows most tools to work as normal while resolving .onion
  444. https://hunter.io/ find email and addresses fast
  447. https://rocketreach.co/login
comments powered by Disqus