Lets say that we are investigating a company as a part of an assessment, during this recon process we must use anything available on internet (Surface Web, DeepWeb or DarkWeb). This includes free tools and sites, but also if you can/want use paid services, is up to you. Just remember, we are to good guys, so don’t cross the line.
But don’t worry, we are smart enough and we know how to perform and intelligence analysis ¿ok?
When I investigate a company with no previous information provided by them, I usually begin with the Domain and web services. You will probably know the organization’s name, domain and/or at least one email account. If not, you can start with Google/ DuckDuckGo 🙂
With this simple piece of information we can start scanning the domain, looking for anything useful like registered IP addresses, open ports, outdated protocols or vulnerable technologies :
https://whois.domaintools.com/ https://www.shodan.io/ https://centralops.net/co/DomainDossier.aspx
We could also use tools like Nmap or Rustscan to validate around the same information, but FYI: this kind of tool might raise alerts on the IDS/Firewalls and/or perimeter security tools. Anyway…you can install them easily on Windows, Linux, etc systems:
If we go one step further, we can use vulnerability scanners like Nessus from Tenable or you can choose an open-source tool like Nikto, which is a web server scanner. Even if they’re oriented to Pentesting or Vulnerability Assessments, they can also be used during the Recon phase to obtain information on the target’s vulnerabilities. As a especial mention, you can add to your browser (Firefox) this amazing extension called Wappalyzer which basically can detect most of the technologies used on a website. Going back to the recon idea, what better tool to be mentioned than Recon-ng:
https://github.com/sullo/nikto https://www.tenable.com/downloads/nessus?loginAttempted=true https://addons.mozilla.org/en-US/firefox/addon/wappalyzer/ https://github.com/lanmaster53/recon-ng
And let’s not forget those sites that could put some light on old incidents or linked/related threats to an organization, Virustotal and JoeSandbox:
Lets say we want to start digging into available email accounts for domain users, along with the names they belong to, also maybe even some aliases for different sites. Here I introduce TheHarvester and Sherlock, two open source tools that conducts search-and-gathering through all kind of social networks and search engines:
When we try to analyze the email accounts that we were able to gather, we would find quite a good list of sites that will provide us with very useful information. Simple Email Reputation website can analyze the records for the account’s domain, the blacklist state, along with possible password breaches. Talking about leaks, here we can use another very simple and useful site called ‘;–have i been pwned?, which basically tells you on which known leak shown up the account. On the same line, you can use a paid resource like DeHashed which will tell you not only if it was leaked or when, but also the extracted passwords and hashes. Another site where sometimes we can find information is the most known pasting site: Pastebin.
https://emailrep.io/ https://haveibeenpwned.com/ https://www.dehashed.com/ https://pastebin.com/
Lets put something stronger in your plate: Maltego is an intelligence tool used to conduct open source investigations and centralize the information gathering trough different sources (both free and paid versions are available). This tool is a little bit more complex than the ones we already mentioned, but it worthwhile the learning process. You need to create a free account at the Maltego website and once you have downloaded it, you must login to use it. You need to configure the “Transforms” that integrate different platforms. Some of them are paid, and others are free, but in any case, you will need to create an account to connect with your private API (E.g. SHODAN, AlienVault, VirusTotal, etc.):
Lets continue in the same line of thought, now, the next tool is a bless for the ones we like to analyze metadata. FOCA Pentest is a metadata gathering tool that allows you to search for around 20 different type of extensions (you can customize this). After you found them, you will be able to download them in a directory, extract the metadata and even analyze them for possible infection.
Now, let’s imagine that among the information that you recollected, you got with some PCI/USB device information. Here’s a very awesome site that will let you ‘hunt‘ any possible intel about the device: DeviceHunt. Now, if you find a different type of information like possible SSIDs, Wi-Fi names, and/or any network information, you should definitely check WIGLE:
A quick tip and trick, very useful when we need to find something, someplace or someone through a photograph is to reverse search through images with search engines. We can Use Google Images, Yandex or another great website Tineye:
https://www.google.com/imghp https://yandex.com/images/ https://tineye.com/
The last ones for today, since we could continue for a while. If we collected personal information and around this we get Twitter accounts, we can use a geolocation website called BirdHunt to try to find the location of the account’s owner. Continuing with Twitter, we can monitor it’s activities and perform tag/hashtag searches using another great website: TweetDeck. As a last mention, another geolocation tool, but this time for YouTube accounts is the website YouTube Geofind:
https://birdhunt.co/ https://tweetdeck.twitter.com/ https://mattw.io/youtube-geofind/location
That’s it for today, I will probably do a second part for this, especially because I left out all the DarkWeb stuff. The reason for that is that we need to take extra precautions around it, so you should not just go on your own visiting DarkWeb sites. Next time!