🧑‍🎓
ejpt.ferqwerty.com
More Courses
  • eJPT
    • Penetration Testing Basics
      • Information Gathering
      • Footprinting & Scanning
      • Vulnerability Assessment
      • Web Attacks
      • System Attacks
      • Network Attacks
    • Preliminary Skills & Programming
      • C++
      • Python
      • Bash Shell
      • Windows Shell
    • Penetration Testing Prerequisites
      • Introduction
      • Networking
      • Web Applications
    • ⬛Black Box Tests
      • Black Box Test #1
      • Black Box Test #2
      • Black Box Test #3
    • 🔗References
    • 📑Glossary
  • Other Courses
    • eCPPTv2
Powered by GitBook
On this page
  • Open-Source Intelligence
  • Information Gathering from Social Networks
  • Government Sites
  • Whois database
  • Browsing Client's sites
  • Discovering Emai Pattern
  • Subdomain Enumeration
  • Online services
  • Automated tools

Was this helpful?

Edit on GitHub
  1. eJPT
  2. Penetration Testing Basics

Information Gathering

OSINT: Widening the attack surface. Mounting targeted attacks. Sharpening your tools in preparation for the next phases.

Open-Source Intelligence

Information Gathering from Social Networks

  • CrunchBase: find detailed information about founders, investors, employees, buyouts and acquisitions.

Government Sites

  • System for Award Management.

  • GSA eLibrary.

Whois database

Also accessible through Linux command whois:

  • Owner name.

  • Street addresses.

  • Email Address.

  • Technical Contacts.

Browsing Client's sites

  • Check products.

  • Services.

  • Technologies.

  • Company Culture.

Discovering Emai Pattern

  • name.surname@company.com

  • surname.name@company.com

  • Many email systems tend to inform the sender that mail was not delivered because it does not exit.

Subdomain Enumeration

  • We keep on widening the attack surface, discovering as many websites owned by the company as possible.

  • It's common for websites of the same company to share the same top-level domain name.

  • Likely to find resources that:

    • May contain outdated software.

    • Buggy software.

    • Administrative Interfaces.

  • Bug bounty program writeups.

Online services

Automated tools

  • sublist3r / subbrute: use domain wordlist in order to bruteforce subdomains.

# sublist3r using Passive DNS services
sublist3r -v -d google.com -b

# -v : verbose
# -d <domain>
# -b bruteforce

# amass
amass -ip -d google.com
PreviousPenetration Testing BasicsNextFootprinting & Scanning

Last updated 3 years ago

Was this helpful?

: a subscription is needed.

: view certificates and see associated domains and subdomains.

VirusTotal
DNSdumpster
crt.sh