Reporting/Data Consonlidation software:
https://dradisframework.com/ce/

OSINT

Retrieve DUNS and CAGE/NCAGE numbers for businesses:

• https://www.sam.gov/SAM/
• Allows you to retrieve contacts, product lists, active and inactive contracts with the government.

Search companies filings:

• https://www.sec.gov/edgar.shtml

Finding Job Postings:

• http://www.linkedin.com/
• http://www.indeed.com/
• https://www.monster.com/
• http://www.careerbuilder.com/
• http://www.glassdoor.com/
• http://www.simplyhired.com/
• http://www.dice.com/

Companies, people, investors, and financial information:

• http://www.crunchbase.com/
• https://www.inc.com/
• http://www.pipl.com/
• http://www.spokeo.com/
• http://www.peoplefinders.com/

Harvesting
Google dork for files = site:website.com filetype:pdf

Windows tool to browse, download, and extract metadata from files automatically:

• https://www.elevenpaths.com/innovation-labs/technologies/foca

theHarvester:

• Enumerates emails, usernames, domains, and hostnames
• https://github.com/laramies/theHarvester

Cached and Archived Sites

• https://archive.org/
• Google dork = cache:website.com

Nmap
Ping Sweep:

• nmap -sn <range>
  • -sn uses ICMP requests and TCP scans ports 80/443
  • To do only ICMP use -PE
• fping -A -g <range> 2>/dev/null
  • Ping sweeps and sends junk to dev/null

DNS Discovery

DNS Resource Records:

• SOA (Start of authority)

• NS (Name Server)

  • Defines authority to a name server for a child zone

• A (Address)

  • Maps a hostname to an IP address

• PTR (Pointer)

  • Maps an IP to a hostname

• CNAME

  • Maps an alias hostname to an A record hostname

• MX (Mail Exchange)

  • Defines a host that will accept mail on behalf of another host

• nmap -sS -sU -p 53 -n <range>

After Identifying port 53 open:

nslookup
server <IdentifiedDNSserver>
set q=NS (or other records like MX)
<known_domain_name>

nslookup
server <IdentifiedDNSserver>
set q=NS (or other records like MX)
<known_domain_name>

and then

nslookup
server <IdentifiedDNSserver>
<newly_discovered_domain_name>

nslookup
server <IdentifiedDNSserver>
<newly_discovered_domain_name>

Dig:

• dig @<DNSserverIP> <Known_Domain_Name> -t AXFR +nocookie
• dig <domain>
• dig <domain> PTR
• dig <domain> MX
• dog <domain> NS
• dig axfr <@domain> <domain>

Mail Exchange:

• nslookup -type=MX <domain>

Name Servers:

• nslookup -type=NS <domain>

Enumerating IP addresses

Bing filter 'ip':

• Search results will identify multi domains hosted on the same server
• ip:<IP>

also try:

• https://dnslytics.com/reverse-ip
• http://reverseip.domaintools.com/
• https://networkappers.com/tools/reverse-ip-checker
• https://www.robtex.com/

Methods to perform ICMP ping sweeps:

fping
fping -A -g <range> 2>/dev/null

• ICMP ping sweep, show alive hosts and send dead host results to dev null.

fping -A <ip> -r 0 = No retries. Sends single icmp packet
fping -A <ip> -e = Return time it took to send packet
fping -q -a -g <range> -r 0 -e = Quiet output; Scan range; No retires; display duration of scan

nmap
nmap -sn <range>

• Ping sweep using nmap
• If sent from within the same network, nmap performs an ARP scan instead.
  • Disable this with --disable-arp-ping

hping

hping3 -1 <ip> -c 3 = Send 3 ICMP requests
hping3 --icmp-ts <ip> -c 3 -V = Send 3 timestamped ICMP requests
hping3 -2 <ip> -c 3 -V = Sends 3 UDP packets to target IP. Will scan port 0 by default. Port unreachable is OK; any response is good.
hping3 -S <ip> -c 3 = Sends 3 TCP SYN packets
hping3 -S <ip> -c 3 -p 80 = Sends 3 TCP SYN packets to port 80
hping3 -F = FIN packets
hping3 -U = Urgent packets
hping3 -X = Xmas scan
hping3 -Y = Ymas scan
hping3 -1 <192.168.1.x> --range-dest -I eth0 = Ping sweep range

DNS Enumeration

• port 53 TCP AND UDP

nmap -sS -p53 <range>
nmap -sU -p53 <range>

Google: whois dns lookup namecheap

• https://www.namecheap.com/domains/whois/

whois -h <whois server>

nslookup <domain>
nslookup -query=mx <domain>- Identify Mail Servers
nslookup -query=ns <domain> - Identify Nameserver

dig <domain name>
dig +nocmd <domain name> MX/NS/A +noall +answer = Query mail servers, namerservers or retreieve IP using Dig.

Zone Transfer
dig +nocmd <domain name> AXFR +noall +answer @<domain name>

Perl Script:
dnsenum <domain name>

DNS Map (subdomain brute forcer):
dnsmap <domain name> = Brute force subdomains and return IPs

dnsrecon:
dnsrecon <domain name>

Tools

DNSdumpster: Nonintrusive dns enumeration tool

dnsmap
dnsenum

FOCA (Fingerprinting Organizations with Collected Archives)

• https://github.com/ElevenPaths/FOCA
• Extracts tons of metadata from files downloaded from search engines; including domain information, ip, OS, usernames, file paths, etc.

Shodan

• shodan.io
• exploits.shodan.io = Database of available exploits