The 1st step of any penetration test is gathering information about the target company. In this tutorial we will go through all the steps required for passive information gathering.
Public company information
Try to get the following data:
- 1. Company location and addresses.
- 2. All company email addresses (https://hunter.io/).
- 3. Company structure. There could be some companies acquired by the target company.
- 4. Legal info like company tax number.
- 5. Founders info.
- 6. Company blog articles can reveal information about the tech stack.
- 7. Company social media data in most popular social media platforms like instagram, facebook, etc.
- 8. Company vacancies to get more info about the tech stack
Company employee information
Try to get the following data:
- 1. Names
- 2. Emails
- 3. Phones
- 4. Job positions
- 5. Social media data
Website tech stack
Get tech stack info from the following services:
- 1. https://builtwith.com/
- 2. https://www.wappalyzer.com/
- 3. https://w3techs.com/sites
- 4. https://whatcms.org/
Google dorks
- 1. Try common google dorks from https://pentest-tools.com/information-gathering/google-hacking
- 2. Based on previously collected data (server version, CMS, etc.) try google dorks from https://www.exploit-db.com/google-hacking-database
- 3. Check the target website and try to find what files are stored and could be leaked. Try google dorks based on common sense. For example, if a website is a social media platform then some images can be indexed. Or, for example, tourism websites can leak users’ IDs.
Other tools
- 1. https://www.shodan.io
- 2. Try to find source code at https://github.com
- 3. Get whois info and all domains at the target ip from https://whois.domaintools.com/
DNS enumeration
- 1.
fierce --domain onrealt.ru
- 2.
anubis -t onrealt.ru
- 3. https://site-analyzer.pro/services-seo/site-all-subdomains/
- 4. https://search.censys.io/
- 5. https://rapiddns.io/