Pentesting Tools: OSINT - Paiet/SEC-335 GitHub Wiki

OSINT (Open Source Intelligence)
- Nslookup
  - Performing name lookup
  - 2 modes
    - Non-Interactive
      - nslookup www.nicholas.com
    - Interactive
  - set type=
- Whois
  - whois -H microsoft.com
  - Gather some good intel
    - Technical contacts
    - Phone/Fax numbers
    - Email
- FOCA
  - Fingerprinting and Organization with Collected Archives
  - https://www.elevenpaths.com/labstools/foca/index.html
- Theharvester
  - Gathers target info
    - Subdomain names
    - Employee names
    - Email Addresses
    - PGP keys
    - Open ports and service banners
  1. /usr/bin/theharvester gets the help
  2. theharvester -d nicholas.com -l 500 -b all
- Recon-NG
  - Gathers target info
    - Subdomain names
    - Employee names
    - Email Addresses
    - PGP keys
    - etc
  1. recon-ng
  2. workspace add <name>
  3. add domain <domain name>
  4. show modules
  5. search domain- (look for domain based modules)
  6. use module recon/domains-hosts/bing_domain_web
  7. show info
  8. run
- Maltego
  - Information Collection
  - Visual graphing
  - Walk through interface
- Shodan
  - Finds specific devices
    - Routers
    - Switches
    - Computers/Servers
    - IoT
    - ICS
  - search for: title:"hacked by"
- Censys
  - Similar to Shodan

⚠️ GitHub.com Fallback ⚠️