Information gathering with OSINT

Reconnaissance is the most important step in the hacking process, as it consists of mapping the attack surface to evaluate possible vulnerabilities and attack points. Well-done enumeration is the key to finding security flaws in any system.

Google Hacking is an advanced research technique that uses specific Google operators to identify sensitive information and security vulnerabilities on websites and servers. This practice involves using specific queries to access sensitive data such as passwords, configuration files, and other information that would not normally be accessible through a conventional Google search.

There are several queries available on the Google Hacking Database.

It is also possible to use the concept of advanced operators in Bing, although it is a bit. Bing has a very interesting operator, which is ip:.

Hunter.io is a tool for collecting corporate emails, which can be used to look for leaks later.

It’s also worth looking for the company’s public repositories, which should be private.

After finding the emails or phone numbers, you can check for leaks with Have I Been Pwned. It is also possible to do a domain search.

A good way to get data is through leaks. An easy way to find leaks is to search for “Breach Forums”.

theHarvester gathers names, emails, IPs, subdomains, and URLs by using
multiple public resources.

It’s useful to use with API keys. They can be set in the /etc/theHarvester/api-keys.yaml file.

Wayback Machine (aka Internet Archive) allows access to archived versions of websites over time. This functionality is invaluable during the reconnaissance phase, offering a historical view of a system’s evolution, its past weaknesses, and potential areas of vulnerability.

These combined techniques provide a robust arsenal for the reconnaissance and information search phase during the hacking process.