Gathering data using whois:

whois command helps us to find publicly available data about domains. The following is a brief list of some information types that are usually stored for public records:

  • Registrant contact information
  • Administrative contact information
  • Technical contact information
  • Name servers
  • Important dates, such as registration, update, and expiration dates
  • Registry domain ID
  • Registrar information
  1. Kali is having a built-in whois tool: ig_1
Info

Keep in mind that, as the need for online privacy increases around the world, domain registrars and organizations are paying a premium fee to ensure their contact data is not revealed by WHOIS databases to the general public. This means that you will not commonly find private contact data about domains that are no longer being revealed on WHOIS databases if the domain owner pays the premium for additional privacy features.


Tip

Take advantage of publicly available informations like job portals(from where we can get info about the company’s technical gadgets, employee requirements, their contact info, what kind of tech they are using currently etc). Make sock puppets inside linkedin and connect with high privilege individuals, try to phish them etc. Take as much advantage as possible from the public info. Make a threat model using those stuff .

Quite often, you will notice that employees who are in a leadership role will commonly share their contact details on professional social networking sites, such as the following:

  • Full name
  • Job title
  • Company’s email address
  • Telephone number
  • Roles and responsibilities
  • Projects containing technical details
  • Pictures of their employee badge As a penetration tester, it’s quite simple to create an account that will function as a sock puppet on a site such as LinkedIn, populate some false information on the account, such as information stating you’re an employee who is working at another branch office, and then add some low-level employees to the organization. There is a possibility the employees will automatically accept the connection/friend request because they will see that you’re a fellow employee at their company. This will provide some leverage for you to connect with the high-profile employees of the target organization and attempt various types of social engineering tactics.

Hunter.io

  1. We can find a particular company’s employee’s info. ig_2
  2. As shown in the preceding screenshot, Hunter can provide a list of employees’ information, such as their names, email addresses, telephone numbers, and other sources of information. Furthermore, Hunter.io provides the format of employees’ email addresses. Such information is also useful when attempting password spraying and credential stuffing techniques.

Recon-ng

  1. Recon-ng is an OSINT reconnaissance framework written in Python. To use recon-ng :
recon-ng
[recon-ng][default] > marketplace install all # this will install all the modules of recon-ng

ig_3 2. To see the installed modules inside recon-ng use the command modules search :
ig_4 3. we can create separate workspaces inside this tool just like metasploit: ig_5 4. To see the list of workspaces use the command workspaces list ig_6

Tip

The workspaces load <workspace-name> command allows you to select and work in the specific workspace, while the workspaces remove <workspace-name> command removes a workspace from Recon-ng.

  1. We can search for any modules using the command modules search <module_name> ig_7
  2. To use a specific module within Recon-ng, use the modules load command. Let’s gather a list of point-of-contacts (POCs) for a target domain. Use the following commands to use the POCS module: ig_8
  3. To set the requirements for the POCS module, use the following command to set microsoft.com as SOURCE for our target: ig_9
Tip

To unset a value within a module, use the option unset <parameter> command. Ensure that you use the info command to verify whether the parameter value is set or unset within a module.

  1. To exit the recon-ng module use the command back
  2. To see the stored credentials for example the contacts we found -> use show contacts ig_10
  3. How we can add different service’s API keys inside recon-ng:
Tip

To view a list of all supported API modules and their keys on Recon-ng, use the keys list command. To add an API key to Recon-ng, use the keys add <API module name> <API key value> command.

  1. Show command:
Tip

The show command can be used with show [companies] [credentials] [hosts] [locations] [ports] [pushpins] [vulnerabilities] [contacts] [domains] [leaks] [netblocks] [profiles] [repositories] to view specific information that was obtained by Recon-ng.

  1. To view a summary of your activities, use the dashboard command: ig_11 ig_12
  2. Generating a report inside recon-ng:
    • Use this module command modules search report ig_13
    • Now we need to load the module we want to export as, i want it as html so i will use this command to load it modules load reporting/html , then we can use the command info to see the details we need to set before running the module: ig_14
    • We will set the details using these commands : options set CREATOR 0xdf , options set CUSTOMER MS-Target , options set FILENAME saving_location : then hit run ig_15
    • The report ig_16

recon-web

  1. recon-ng is having it’s own web interface called recon-web , we can access it by typing this following command inside the terminal recon-web ig_17
  2. This will start a web server ig_18
  3. Open it on your browser, ig_19
  4. DONE