Reconnaissance

Passive Gathering

These have a very low chance of detection as you are using publicly available resources and not directly targeting the organization.

• Search Engines / Google Dorking
  • using specific queries to attempt to uncover information about a target
• WHOIS Lookups
  • searching for domain registration information
• DNS
  • identifying subdomains, mail servers, TXT records and other information about a domain
• Web Archive Analysis
  • web archivers, like the wayback machine, scan and capture periodic snapshots of websites that can reveal information that may no longer be present
• Social Media Analysis
  • Employee information or job listings can reveal information about technologies, hierarchy, phishing targets and other organization information
• Code Repositories
  • GitHub and similar repos can have credentials or source code publicly available for finding vulnerabilities.
• Cloud Buckets
  • Public Amazon AWS or Azure cloud repositories could have information that is unauthenticated and could be valuable

Footprinting

See [[Footprinting#Infrastructure Enumeration]] for detailed notes on gathering data for external infrastructure. See [[Footprinting#Host Based Enumeration]] for notes on gathering data via various services on a host.

Web Enumeration

see [[Information Gathering - Web]]

Exploits

• ExploitDB (searchsploit), Rapid7 DB, Vulnerability Lab or Metasploit can help find exploits for particular applications