Edit

Passive OSINT

Netcraft.com

Finds underlying OS, web server version uptime

Find subdomains

Sometimes SSL is a goldmine of information

crt.sh
#!/bin/bash
# a basic script to pull information from crt and present it
# example ./crt.sh offsecnewbie.com
# author rowbot
if [[ $# -eq 0 ]] ;

then
	echo "Usage: ./crt.sh domain. Also you might have to install jq - 'apt get install jq'"
	exit 1

else

curl -s https://crt.sh/\?q\=\%.$1\&output\=json | jq -r '.[].name_value' | sed 's/\*\.//g' | sort -u > $1

fi

If you can't get jq installed - try this script

Compare subdomains found using theHavester with crt.sh script as some will be missing - not all domains have ssl.

IP addresses from subdomains

Use Virustotal to find subdomains

Also you can play about with a nice entity diagram

Read

FireFox addon - passive recon

Google hacking

also heck out doc meta info, gives info such as where doc was stored - network share ip address, who created it, what was it created with etc

Social Media Search

Search for people on social media

Recon

A giant inventory of recon tools is available via the Skip Tracing Framework

PreviousReconNextNetwork

Last updated

Was this helpful?