RECONNAISSANCE
   The Reconnaissance phase, aka Footprinting, is the most important phase.  This is the phase where you gather all the information on your target.  What can possibly make or break your success is in this stage.  If you take the first idea that pops in your head and attack your target, you will most likely fail.  In this phase you will need to spend months gathering data on your target to find a vulnerability and be successful.  You will need to perfect this skill to be a ethical hacker.

     Active Reconnaissance - in this search you directly interact with the computer system to gain information.  This type of information gathering will leave your digital footprint to be traced back to you.  If at all possibly try and avoid this type of scanning.
     Passive Reconnaissance - this type of search you are not directly interacting with the target.  This way you don't leave any foot prints that will lead back to you and get you in trouble.

   Organizations has a plethora of information available on the web, you just have to know how to search for it.  This first trick I am going to discuss will be a passive attack and it does not work on every web browser. First go to google's main page, if your using another browser like duckduckgo, and in the search bar type in "football", your first link should be NFL.  Look for the web address, www.nfl.com, now just to the right of the address will be a drop down arrow.  Click the arrow and you will see the word "cached", click the word and now you can search the website passively without leaving any footprints.  If you click any links on that cached page you will go to a live site and leave a footprint.  The next passive attack I will discuss will be cloning a website.  Kali and other apps will let you clone the website and then go offline to do research. This way you are not actively interacting with the website, you are scanning a copy of it and your offline.  If you did not know about it google has web crawlers that scan every website, unless blocked by the robots.txt, and keeps a copy in archives.  You can access these archives and research more on your target without leaving any traces.

Google Cached Page - Google Cache is normally referred as the copies of the web pages cached by Google. Google crawls the web and takes snapshots of each page as a backup just in case the current page is not available. (https://cachedview.com/)

Archive.org Cache - The Archive.org, also known as Wayback Machine, is a digital archive of the World Wide Web and other information on the Internet created by the Internet.  The service enables users to see archived versions of web pages across time, which the Archive calls a three dimensional index. 

   You can use either of these to research your target without getting in trouble.  If you saw something listed on a website and the next day it is gone you can go to the archive and examine it further in depth.  There are many ways to use this technique to your advantage.
     During the recon phase you will be gathering information on the company, employers and third party vendors.  Here are some things you will need to search on your target.

Information gathering about the target:
Most important I.P. gathering
Search public information, gather as much info without sending a single packet
Physical address
Phone Number
Fax numbers
Email Addresses
Hours of Operation
Business Relations: 3rd Party
Employee Emails/Name
Social Media Connections
News and Announcements - Merges
Job Postings
Job openings (software, Hardware, Network related information)

When researching a company I like to check the job postings first.  The company will spill their guts out if you will just take the time to read.  Lets examine this job posting:
Responsibilities:

    Analyzing network errors or anomalies, as well as specific network performance issues and/or error messages, in order to ensure maximum uptime and service quality and assess trends that may ultimately result in degradation of service
 --   Analyze and configure VOIP network traffic to ensure high quality of service and high availability
    Formulating and implementing monitoring, policies, procedures and standards relating to network management
 --   Manage and work with 3rd party vendors to procure and maintain network devices, assist in cost analysis to ensure highest value to Sage Intacct
    Troubleshooting API and other system issues at a per-packet level via packet trace and sniffer analysis, including the troubleshooting of 3rd party data integration services and/or other Web-enabled solutions
    Participation in a 24x7 on-call rotation on a periodic basis; this requires functional knowledge of all Sage Intacct network devices, domain controllers, VPN and subsystems outside of the networking layer in order to provide on-call support

Requirements:

  --  BS/BA degree, or equivalent work experience, CCNP certification preferred
    5+ years direct experience required in the management and administration of network infrastructure - routers, switches, load balancers, SSL acceleration technology, etc.
  --  5+ years experience with network protocols for routing and access, including but not limited to: BGP, IS-IS, OSPF, RIP, EIGRP, RADIUS, TACACS, STP, etc.
    In-depth knowledge of TCP/IP and BGP an absolute requirement
  --  Extensive working experience with Cisco ASA 5500 series, Dell N2000 and N3000 switches
    Experience with VPN remote access and PTP VPN tunnels
    Experience with multi-site routing, peering, and disaster recovery network architectures
    Experience with the use and implementation of enterprise monitoring and management frameworks and tools
    Experience working in structured change management processes for highly available datacenter networks
  --  Familiarity with WiFi standards and experience managing wireless network configurations, Cisco Meraki experience is a plus
    Firewall/security experience (ACL, GRE/IPsec tunnels, FWSM, IDSM2, and secure remote access/management practices)
  --  Experience with Palo Alto Networks firewalls is a plus
  --  Familiar with one or more of the following monitoring tools: Zabbix, Nagios, PRTG or Cacti

Education and Certification Requirements:

    Preferred – Bachelor’s degree (computer science, business administration or related field) or equivalent experience
    Preferred certifications
    Cisco CCNA or CCNP
    Palo Alto Networks PCNSE


The second line under responsibilities I placed 2 tick marks by it, the company asks you to be knowledgeable with VOIP.  The first thing that pops into my head is Wireshark.  Wireshark captures packets as they go across the network and when the company uses VOIP it is turned into a packet and traverses the network.  Wireshark will capture that packet and you can listen to the phone conversation.

The next tick mark I made deals with 3rd party vendors.  Always check for 3rd party vendors since they have access to the company you are researching.  If I want to hack a company and their security is super tight, fort knox, I will attack the 3rd party vendors and then access the company.  

The next couple tick marks as you see the company asks for people knowledgeable with Cisco Networking gear.  They also go in-depth about what equipment they are using, Cisco ASA 5500 series, Dell N2000 and N3000 switches,  so they are telling you right there what they are using.

The 6th tick states familiarity with WIFI and Cisco Meraki is a plus.  This tells me I could possibly gain access to their network threw WIFI, and they are using the cloud so I should research the clouds weakness. 

The next tick states experience with Palo Alto, which is a used to prevent cyber attacks.

The last tick tells me all the network monitoring tools they use.  How nice of them to give me all this information.  Now I research each of these ticks in-depth and find weaknesses.  Take for example, Nagios monitoring system, go to your web browser and type in "Nagios vulnerabilties", there is 247,000 results.  I am sure we can find some good information if we dig deep enough.  Right off the bat they talk of Cross Site Scripting(XSS), SQL Injection, Remote Code Execution(RCE) and Privilege Escalation.  We will discuss these topics more in-depth at a later time, but just wanted to show you how much information is on the web.

Physical addresses - come in handy when you want to go dumpster diving or digging in the trash.  Trash is free game, you can go threw it and the owners can not say a thing, but if they have a fence around their dumpster or their business then you are trespassing.  Kevin Mitnick said he went threw AT&T's dumpster and found a bag full of shredded paper.  His team took the bag to Starbucks, grabbed some coffee and dug into the bag.  After they pieced everything back together, they had each employers name, email and password.  Word to the wise, BURN your important documents.  You can find a lot of information in dumpsters that can come in handy later on, which ill discuss more on Dumpster Diving later on.

Email addresses - Most companies follow a pattern when dealing with email accounts.  Each company can be different so during your research grab a couple different email addresses to study.  The thing you are looking for is the format the company uses, Jon Smith@XXXXX or JSmith@XXXXX or is it SmithJ@XXXXX after you figure the pattern out then start a brute force attack on the email account, ill discuss other ways using social engineering later on.

Hours of operation - lets make sure when we start our exploiting stage that workers are not still at work.

Business Relations - find all the 3rd party vendors 

Social Media - Check facebook, linkedin, and other social media for information on your target.  Check the employers facebook page for information.  They might talk about issues at their job or even seen a posting where the I.T. guy said "Have to pull an all nighter, our firewall went down".  Thanks for the tip my man.

New and Announcements - Watch for upcoming events that you could attend to gather more information, especially watch for "MERGES", when companies merge they are vulnerable.  The network might have issues, company equipment might fail the possibilities are endless. Look how corona has changed so much, "As the Coronavirus pandemic continues to force people to work from home, countless companies are now holding daily meetings using videoconferencing services from Zoom".....ZOOM ? Zoom vulnerabilities ?  researcher Mazin Ahmed, who presented his findings at DEF CON 2020, the company also left a misconfigured development instance exposed that wasn't updated since September 2019, indicating the server could be susceptible to flaws that were left unpatched.  After Ahmed privately reported the issues to Zoom in April and subsequently in July, the company issued a fix on August 3 (version 5.2.4).  Wait did you catch it? read it again...... He told Zoom they was vulnerable to an attack in April and they did not patch the issue till August....so for 4 months Zoom was open game.  There are groups you can join, might be for a fee, that receives these issues and usually it takes around a year for the patch to come out.  So that says you could find out the companies vulnerabilities and have about a year before they issue a patch.


Some places to do your researching at:

News and Groups
Bulletin Board Systems 
Facebook
Instagram
Twitter
LinkedIn
Bing
Dogpile
Google
Yahoo
Webferret - https://download.cnet.com/WebFerret/3000-2379_4-10002998.html 
EDGAR - Publicly traded companies ( https://www.sec.gov/edgar.shtml )
groups.google.com


Best People Search:

SwitchBoard ( https://inter800.com/switchboard/ )
GooleFinance ( https://www.google.com/finance )
YahooFinance ( https://finance.yahoo.com/ )
blackbookonline.info ( https://www.blackbookonline.info/ ) 
Reunion.com
Classmates.com ( https://www.classmates.com/ )
Plaxo.com ( https://en.wikipedia.org/wiki/Plaxo )
Zaba Search ( https://www.zabasearch.com/ )
Spokeo ( https://www.spokeo.com/ )
pipl.com
familytreenow.com
thatsthem.com
luller.com


WARDIALING:
phonenumber.com
411.com
yellowpages.com  

Wardialing - is a technique to automatically scan a list of telephone numbers, usually dialing every number in a local area code to search for modems, computers, bulletin board systems (computer servers) and fax machines.  There are to many ways to list all the possibilities with this technique.  The major one I will talk about is Fax Machines,  this is the place you should attack and hard.  Fax machines are sometimes still hooked up to dial up if your old enough to even know what that is.  Fax machines has weak securities and in big companies they have employees email addresses and passwords stored.  Around 10 years ago I think it was, the terrorists was buying all of the militaries copying machines, come to find out even after erasing the memory you could still pull up all the information the military was scanning, that included social security numbers, addresses and more.  Anyone need a Fake Passport, CC, or ID ? 

Another thing to research is for an offsite storage building.  Major companies store their backup data at another location incase a fire breaks out or a major catastrophe happens.  This way the backups will not be damaged and the company can be back up and running in minimal time.  The term you might hear or search for is Hot, Warm and Cold Sites.  Hot site means it is up and running, Warm site means it can be up in a short time, and Cold site will take awhile for it to get running.  These buildings are where the companies store there backup data and usually is not guarded making it a easy target to get information from.

Google Earth to see target:
Google Street car drives around the country recording data, WIFI, MAC addresses ( https://www.google.com/streetview/ )

API at shodanhq.com/research/geomac  ----Blackhat 2010 Sammy Kramkars " How I met your girlfriend" ( https://www.wired.com/2015/12/the-greatest-hits-of-samy-kamkar-youtubes-favorite-hacker/ )

This is a older technique, but sometimes still works, Extract DNS - Zone transfers.   DNS servers are an excellent target for hackers and penetration testers to gather data from, the information is considered highly valuable to attackers. This contains a full listing of internal IP addresses that belong to our target.  We will dig deeper later on.

Go to the companies cloned site, right click the main page and click "view source" and "inspect element".  Sometimes people that code the website leaves notes to themselves so they wont forget, but then forgets to remove the notes.  Some admins might leave passwords in there or issues they was working on.  Every little bit of information will help.  

Search for VPN's to connect to companies or individuals

Search for: 

Company Resume firewall
Google Resume firewall

So I searched for Chevron Resume Firewall, and it showed me a Resume of a person that worked at Chevron or was applying for a job at Chevron.  Study his qualifications, this might tell you more information about what equipment they have at the targets company. 

Send a email with a empty .bat file.  Once rejected break down the rejection for vendor, version of anti-virus, inspect the header for IP, software brand of email server running

Offline Browser - Teleport Pro - https://en.freedownloadmanager.org/Windows-PC/Teleport-Pro.html 

Multiple Search Engines: All-in-one ( https://all-io.net/ ), Dogpile ( https://www.dogpile.com/ ), groups.google.com

Advanced Search in websites - AltaVista ( http://ca-en.altavista.com/ )

Sites to research recent cyber attacks:

https://www.malware.us-cert.gov/MalwareSubmission/pages/submission.jsf
https://www.usa.gov/federal-agencies/computer-emergency-readiness-team
https://nvd.nist.gov/
https://www.securitytracker.com/ 
https://securiteam.com/ 
http://www.hackerwatch.org/
https://www.securityfocus.com/ 
https://www.scmagazine.com/
https://www.w4rri0r.com/vulnerabilities-attacker-surface.html
https://www.wired.com/2015/12/the-greatest-hits-of-samy-kamkar-youtubes-favorite-hacker/
https://owasp.org/www-project-top-ten/ 
https://www.veracode.com/security/owasp-top-10 

Learn how hackers are attacking companies so you can be up to date and learn how to defend it.

I am briefly going to talk about Google-Fu or Google Hacking.  Looking up information can take a lot of time and when you hit that enter button on whatever you are researching and it says 565,000 results can be discouraging.  So how you list your topics of search in the google search bar determines the result factor.  There are ways to cut the results down to a fraction and save yourself a lot of time going threw all the threads.  

I chose to research Emmitt Smith:

emmitt smith - About 2,790,000 results 
black male/emmitt smith - About 1,390,000 results 
Dallas Cowboys/emmitt smith - About 1,130,000 results 

So the more information I added google honed in more and I had less results to parse threw.  You can narrow it down even further with the right knowledge.  Here are some ways to better your research and lower your results.

intitle or allintitle: 
intitle - search word is within the title.
allintitle - only return websites that contain all the keywords in the webpage title. Example allintitle:index of *****
URL - inurl:admin - reveals admin or configuraton on targets website
Filetype:PDF
Combine them - site:dsu.edu filetype:PDF

Term	      Action
filetype:     Search for a file by its extension (e.g. PDF)
cache:	      View Google's Cached version of a specified URL
intitle:      The specified phrase MUST appear in the title of the page

Johnny Long has a great book out called "Google Hacking for Penetration Testing" (download for free at pdfdrive.com) or watch the presentation Johnny Long gave at Defcon 13 ( https://www.youtube.com/watch?v=fo1BR9itwOY ) 

Start researching more indepth on each of these topics and take notes in a composition notebook, they run around a dollar each.  I have a notebook for each phase and write everything that I find of value inside them.  This way when I engage a target, I pull my notebooks out, run down the lists, fill in the blanks and this makes it so much easier because as we get older and learn more things we forget older things.  

Start practicing on overthewire.org, start off with Bandit and complete the 34 stages and then move to the next playground, I think there are 17 playgrounds on overthewire to learn from.

Capture the Flag (CTF) competitions can be rewarding, soul destroying and intimidating all at the same time. I’d strongly recommend getting stuck in and signing up to CTFs as soon as possible. Don’t wait until you’ve mastered a specific skill as CTFs are a brilliant learning resource first and foremost. Set aside time every week to get onto a CTF and treat this time as sacred. Don’t let anything distract you away from this time slot if you can help it!
Consider joining a CTF team to enhance your pool of learning resources. There are always teams looking for new members. The “OpenToAll” team is one that comes to mind, who are now at an astounding 300+ team members.

Here are some tools to research that you will use during the Reconnaissance Phase:

HTTrack - Makes a offline copy of the website
Blackwidow Pro or Wget can extract complete copy of website
The Harvester
Whois.net
Netcraft
Host
NSLookup
Dig
MetaGoofil 
SEAT
Maltego
SamSpade
NetScan
GTWhois
XWhois
Archive.org
Trellian
Web Investigator
MyReputation
BiDiBLAH
Big Brother
Advance Administrative Tools
Wikto
ActiveWHois
Spiderfoot
Msr Strider URL Tracer
WTR -Web the Ripper 2
Dirbuster
Wget - Linux/UNix
Teleport Pro - Windows
Athen 2.0
SiteDigger
Traceroute

Search engines for Hackers:

censys.io
shodan.io
viz.greynoise.io
zoomeye.org
netograph.io
wigle.net
intelx.io
fofa.so
hunter.io
haveibeenpwned.com

As we go along we will add more to this phase and discuss the topics more.  So do some research, dig into these topics and if you have any questions ask one of us.


Updated 11/24/2020
Username search tools #OSINT
https://t.co/hzHoHiDbFB
https://t.co/6vE7pCI5Q8
https://t.co/0gOGizBPIG
https://t.co/XeS26gkzzu
https://t.co/wMW7nFZCNa
https://t.co/GbmYe47gtO
https://t.co/fEAARCFsAU?
https://t.co/heIvHUWeuQ
https://t.co/mRerIKvDht
https://t.co/qYO1k6TOWx 
https://t.co/p4eVgqZixX


https://yandex.com/
http://www.mavetju.org/unix/dnstracer-man.php
https://www.maltego.com/?utm_source=paterva.com&utm_medium=referral&utm_campaign=301
https://null-byte.wonderhowto.com/how-to/use-spiderfoot-for-osint-gathering-0180063/
https://www.spiderfoot.net/
https://hakin9.org/buster-an-advanced-tool-for-email-reconnaissance/
https://hakin9.org/people-tracker-on-the-internet-osint-analysis-and-research-tool/
https://www.entireweb.com/
https://www.lycos.com/
https://www.teoma.com/
https://millionshort.com/
https://www.offensiveosint.io/offensive-osint-s01e01-osint-rdp/
https://www.martinvigo.com/email2phonenumber/
https://www.secjuice.com/artificial-intelligence-ai-and-osint/
https://phonexicum.github.io/infosec/osint.html
https://www.reversephonecheck.com/
https://www.kitploit.com/2020/06/sifter-74-osint-recon-vulnerability.html
https://www.tracelabs.org/initiatives/osint-vm
https://osint.link/
https://www.bellingcat.com/resources/how-tos/2019/12/26/guide-to-using-reverse-image-search-for-investigations/
http://www.faganfinder.com/filetype/
https://www.yippy.com/


https://github.com/jivoi/awesome-osint                   (EVERYTHING)
https://github.com/Z4nzu/hackingtool                     (EVERYTHING)
https://github.com/infosecn1nja/Red-Teaming-Toolkit      (A TOOL FOR EVERY PHASE)

https://osintframework.com/               (CLICK THE BLUE DOTS)


https://github.com/PaulSec/API-dnsdumpster.com
https://github.com/JoeWrieden/AutomatedOSINT
https://github.com/0xApt/awesome-bbht  A bash script that will automatically install a list of bug hunting tools that I find interesting for recon, exploitation, etc. (minus burp) For Ubuntu/Debain. 
https://github.com/jakejarvis/awesome-shodan-queries
https://github.com/Cignoraptor-ita/cignotrack
https://github.com/m0rtem/CloudFail
https://github.com/OWASP/D4N155
https://github.com/darkoperator/dnsrecon
https://github.com/ex0dus-0x/doxbox
https://github.com/sandialabs/dr_robot
https://github.com/ChrisTruncer/EyeWitness
https://github.com/thewhiteh4t/FinalRecon
https://github.com/ElevenPaths/FOCA
https://github.com/obheda12/GitDorker
https://github.com/Sachaaaaaa/Grhoth
https://github.com/khast3x/h8mail
https://github.com/m4ll0k/Infoga
https://www.osintcombine.com/instagram-explorer
https://github.com/instant-username-search/instant-username-search
https://github.com/ChrisTruncer/Just-Metadata
https://github.com/pielco11/JungleScam
https://github.com/initstring/linkedin2username
https://github.com/laramies/metagoofil
https://github.com/MISP/MISP-maltego
https://github.com/ninoseki/mitaka
https://github.com/AzizKpln/Moriarty-Project/
https://github.com/HA71/Namechk
https://github.com/th3unkn0n/osi.ig
https://github.com/milo2012/osintstalker
https://github.com/sundowndev/PhoneInfoga          https://www.youtube.com/watch?v=WW6myutKBYk    https://copycookie.com/phoneinfoga-advanced-information-gathering-osint-framework-for-phone-numbers/
https://github.com/s0md3v/Photon
https://github.com/nethunteros/punter
https://github.com/m8r0wn/pymeta
https://github.com/dchrastil/ScrapedIn
https://github.com/thewhiteh4t/seeker
https://github.com/HA71/sherlock
https://github.com/kpcyrd/sn0int
https://github.com/SpiderLabs/social_mapper
https://github.com/laramies/theHarvester
https://github.com/krmaxwell/tinfoleak
https://github.com/jofpin/trape
https://github.com/Ekultek/WhatBreach
https://github.com/inurlx/XSPID3R


Photo location search #map #geo #OSINT #SEO #infosec 
http://oldto.sidewalklabs.com/
http://locationscout.net/
http://shothotspot.com/
http://whatwasthere.com/
http://hotogrammar.yale.edu/

io search engines #osint #seo #infosec #search 
http://darksearch.io/  dark web
http://scinapse.io/  academic
http://fnd.io/  itunes & app store
http://redditsearch.io/  reddit
http://filefactory.filesearch.io/   files
http://keywordtool.io/  keywords


https://inteltechniques.com/JE/
https://technisette.com/p/tutorials
https://i-sight.com/resources/101-osint-resources-for-investigators/
http://browsershots.org/
https://www.uk-osint.net/


OSINT YouTube Videos
https://www.youtube.com/watch?v=WW6myutKBYk       Using phone numbers to gather info
https://www.youtube.com/watch?v=SMxya-M6KhU       Different tools
https://www.youtube.com/watch?v=SvL9bpsY-ZQ       Finding info in various ways
https://www.youtube.com/watch?v=DSEGmdzs9Kg       DefCon OSINT
https://www.youtube.com/watch?v=RwwpXALAp3I       Spiderfoot
https://www.youtube.com/watch?v=d-Ql_WSwF0A       MALTEGO
https://www.youtube.com/watch?v=yrOOdq25wMw       Sans


Search Tips:
Surround literals with " ", as in "Soc Sec Num" 
Add minus (-) to a search term to maximize effectiveness of resulting hits
  - Excludes pages with a given word
Search for airline status
  - Type in airline and flight number
  - Front end for Travelocity
Search for VIN for vehicle information
Search for UPC number for product info


By dumping records from your DNS servers, attackers can determine which machines are accessible on Internet.  
Using nslookup, information can be gathered
Type

C:\> nslookup
>server [DNSServer]
>set type=any
>ls -d [domain]

site:sans.org
then:
-www  after you look at the results
-isc  review the results
-ics  review the results
-labs  review the results and keep taking away results you dont care to see


"cache:www.counterhack.net"

.bak is backup files that exposes passwords.  site:www.[target].com bak

Usa Foca to download all the files you can find on a target.  Take a excel document and put a macro in it, email it to the person that created the document and title it "Fix Immediately" , they will open it and fix it not realizing they just clicked a virus, worm, or keylogger.

use   index of XXXXXXX to go str8 to their directory and search their files and folders.    (site:wafflehouse.com intitle:index.of).  Work more on this............................
you can also find remote desktop systems: ext rdp
indexable directories: intitle:index.of"parent directory"
search for ID's and passwords
Video Cameras.... search for inurl:"ViewerFrame?Mode="

pastebin.com  go on there and search for userid and passwords, password ngc.com  is northrup gruman password list.

shodan will give you the amount of IOT and their IP address 
images.shodan.io will give you the images of Remote Desktop Systems that are open to the internet... then in the search bar.....port:5900 will show VNC open to the internet with no paswords needed


shodanhq.com
dnsstuff.com
tracert.com
traceroute.org
network-tools.com
securityspace.com




https://github.com/domssilva/vulnsearch   A deep look at some recon methodologies and web-application vulnerabilities of my interest where I will merge all my notes gathered from books, videos, articles and own experience with bug bounty                                           hunting / web and network hacking 

https://tools.tldr.run/                                bunch of different tools
https://intelx.io/                                     search database
https://github.com/Err0r-ICA/TORhunter                 Designed to scan and exploit vulnerabilities within Tor hidden services. TORhunter allows most tools to work as normal while resolving .onion 
https://hunter.io/                                     find email and addresses fast


https://rocketreach.co/login