1.
www.prismacsi.com
© All Rights Reserved.
1
Practical White Hat Hacker Training #2
Passive Information
Gathering
This document can be shared or used by quoted and used for commercial purposes, but can not be changed. Detailed
information is available at https://creativecommons.org/licenses/by-nc-nd/4.0/legalcode.

2.
www.prismacsi.com
© All Rights Reserved.
2
OSINT
• Open Source Intelligence (OSINT)
• No communication with the target that may create an anomaly
• Gathering information using internet services
• Do searches on search engines
• Analyze developer sites
• Assemble all the information you obtained
• Have an overview before active scanning to obtain the most accurate data

3.
www.prismacsi.com
© All Rights Reserved.
3
Sceriano
• We are a group of Zambian hackers.
• Capital: Lusaka
• Language: English
• Let’s suppose we are a hacker group for hire.
• We need to collect information.
• We need to look from every point of view.

4.
www.prismacsi.com
© All Rights Reserved.
4
OSINT
• Let's start by identifying the basics.
• Finding the main site by Google search
• IP detection by Pinging
• IP Range Detection
• IANA
• Arın , Ripe , Apnic , Japnic may be used
• Researching the location with IP2Location

5.
www.prismacsi.com
© All Rights Reserved.
5
IP Range Detection - DEMO
ripe.net

6.
www.prismacsi.com
© All Rights Reserved.
6
IP Range Detection - DEMO
Netname
üzerine kayıtlı
tüm IP aralıkları
iplocation.com

7.
www.prismacsi.com
© All Rights Reserved.
7
OSINT
• What we can find through domain information?
• Whois record analysis - Who.is
• Discovering the other domains by using Reverse Whois
• Whois history analysis
• Discovering the attack area through subdomain detection
• Detecting virtual hosts is important!
• Detecting Email addresses
• Detection of email structure
• Important for creating missing mail addresses!

8.
www.prismacsi.com
© All Rights Reserved.
8
Whois Analysis - DEMO
who.is

9.
www.prismacsi.com
© All Rights Reserved.
9
Reverse Whois Analysis - DEMO
whoisology.com

10.
www.prismacsi.com
© All Rights Reserved.
10
Subdomain, Virtualhost and Email Discovery - DEMO
theharvester

11.
www.prismacsi.com
© All Rights Reserved.
11
Subdomain, Virtualhost and Email Discovery
theharvester

12.
www.prismacsi.com
© All Rights Reserved.
12
Aquatone - DEMO
https://github.com/michenriksen/aquatone

13.
www.prismacsi.com
© All Rights Reserved.
13
Aquatone-Discover - DEMO
aquatone-discover –d yandex.com

14.
www.prismacsi.com
© All Rights Reserved.
14
Sublist3r - DEMO
https://github.com/aboul3la/Sublist3r

15.
www.prismacsi.com
© All Rights Reserved.
15
OSINT
• What can we collect from DNS?
• Analysis via Robtex.com
• Analysis through Mxtoolbox.com
• Analysis via Dnsstuff.com
• Analysis with Dig

16.
www.prismacsi.com
© All Rights Reserved.
16
DNS Information - DEMO
robtex.com

17.
www.prismacsi.com
© All Rights Reserved.
17
DNS Information
dnsdumpster.com

18.
www.prismacsi.com
© All Rights Reserved.
18
DNS Information - DEMO
mxtoolbox.com

19.
www.prismacsi.com
© All Rights Reserved.
19
DNS Information- DEMO
dnsstuff.com

20.
www.prismacsi.com
© All Rights Reserved.
20
Subdomain, Virtualhost and Email Discovery- DEMO
dig

21.
www.prismacsi.com
© All Rights Reserved.
21
Subdomain, Virtualhost and Email Discovery
dig

22.
www.prismacsi.com
© All Rights Reserved.
22
OSINT
• Discovery through the other useful resources has its benefits!
• Analysis can be done via Yougetsignal.
• Subdomain discovery
• Analysis through Bing
• Subdomain discovery
• Analysis via Netcraft
• Technology and service analysis
• Analysis through Archive.org
• Content analysis by time

23.
www.prismacsi.com
© All Rights Reserved.
23
Yougetsignal - DEMO
yougetsignal.com

24.
www.prismacsi.com
© All Rights Reserved.
24
Bing - DEMO
bing.com

25.
www.prismacsi.com
© All Rights Reserved.
25
Netcraft - DEMO
netcraft.com

26.
www.prismacsi.com
© All Rights Reserved.
26
Wayback Machine - DEMO
Archive.org

27.
www.prismacsi.com
© All Rights Reserved.
27
Wayback Machine - DEMO
archive.org

28.
www.prismacsi.com
© All Rights Reserved.
28
OSINT
• It is useful to take advantage of the internet's active analysis resources!
• Analysis should be done via Shodan
• Analysis should be done via Censys
• Haveibeenpwned.com
• Have email addresses detected previously been used at a given address and have these
addresses been previously hacked?
• Have they been shared in Paste sites?
• Are the passwords of these e-mail addresses still in use?

29.
www.prismacsi.com
© All Rights Reserved.
29
Shodan - DEMO
shodan.io

30.
www.prismacsi.com
© All Rights Reserved.
30
Censys - DEMO
censys.io

31.
www.prismacsi.com
© All Rights Reserved.
31
Haveibeenpwned - DEMO
haveibeenpwned.com

32.
www.prismacsi.com
© All Rights Reserved.
32
Serversniff - DEMO
• Online Research Resources – Serversniff.net

33.
www.prismacsi.com
© All Rights Reserved.
33
Hackertarget - Demo
• Online Research Resources – Hackertarget.com

34.
www.prismacsi.com
© All Rights Reserved.
34
OSINT
• Developer sites are one of the most critical points!
• Analysis must be done through Alexa
• Pastebin sites must definitely be examined
• Critical data can be captured by analysis via Stackoverflow
• Analysis through Github can give access to source code and perhaps internal critical data.

35.
www.prismacsi.com
© All Rights Reserved.
35
Alexa - Demo
alexa.com

36.
www.prismacsi.com
© All Rights Reserved.
36
Pastebin- Demo
pastebin.com

37.
www.prismacsi.com
© All Rights Reserved.
37
Pastebin Search - Demo
https://inteltechniques.com/OSINT/pastebins.html

38.
www.prismacsi.com
© All Rights Reserved.
38
Stackoverflow - Demo
stackoverflow.com

39.
www.prismacsi.com
© All Rights Reserved.
39
Github - Demo
github.com

40.
www.prismacsi.com
© All Rights Reserved.
40
Google Hacking DB
• Google Hacking DB
• Dork concept
• Frequently used parameters
• Site , -site, Inurl, intitle, intext
• Filetype: , ext : , cache:

41.
www.prismacsi.com
© All Rights Reserved.
41
Google Hacking DB
• Example Dorks
• Intitle:index.of url:domain.com
• Intitle:index.of inurl:domain.com filetype:sql
• Site:domain.com –site:www.domain.com unique
• Filetype:log intext:”putty”
• Filetype:xls “username | password”
• Ext:phps “mysql_connect”
• inurl:/view/index/shtml

42.
www.prismacsi.com
© All Rights Reserved.
42
Google Hacking DB - Demo
• https://www.exploit-db.com/google-hacking-database/

43.
www.prismacsi.com
© All Rights Reserved.
43
Google Hacking DB - Demo
• Google Images

44.
www.prismacsi.com
© All Rights Reserved.
44
Tineye - Demo
• https://www.tineye.com/

45.
www.prismacsi.com
© All Rights Reserved.
45
OSINT
• Important data can be obtained from search engines and social media thereby expanding the attack
surface.
• User login screens must be discovered. (For social engineering attacks)
• Job postings must be analyzed
• Social media analysis must be done

46.
www.prismacsi.com
© All Rights Reserved.
46
OSINT
• One can obtain data on people using search engines
• Linkedin.com
• Jigsaw.com
• People123.com
• Pipl.com
• Peekyou.com

47.
www.prismacsi.com
© All Rights Reserved.
47
OSINT
• Metadata analysis should be done, important data can also be obtained from this.
• Office files can be examined
• Pdf files can be inspected
• Images – EXIF data can be analyzed.
• Available tools
• Exif-reader
• Foca
• Metagoofil

48.
www.prismacsi.com
© All Rights Reserved.
48
List of Additional Tools
Processes handled manually with these tools can be automated for a wide-scale application.
• theHarvester
• Spiderfoot
• Recon-ng
• Foca
• Metagoofil
• Maltego
• Searchsploit

49.
www.prismacsi.com
© All Rights Reserved.
49
In the end
• Domains have been determined
• IP ranges have been determined
• Technologies used have been analyzed and preparations done
• Used software have been analyzed and preparations done
• Leak data have been analyzed and added to password lists
• We are now ready for active scanning!

50.
www.prismacsi.com
© All Rights Reserved.
50
Demo
Practice

51.
www.prismacsi.com
© All Rights Reserved.
51
Questions
?

52.
www.prismacsi.com
© All Rights Reserved.
52
www.prismacsi.com
info@prismacsi.com
0 850 303 85 35
/prismacsi
Contacts