location info: satellite images, drone reco, building layout (badge readers, break areas, security, fencing)
job information: employees (name, job title, phone number, manager), pictures (badge photos, desk photos, computer photos)
share a cigarette with someone and enter the building
know in advance how people look like
photo with your laptop open, we can see all the tools you use at work
"I work for IT", you should know who is your manager
target validation: whois, nslookup, dnsrecon
finding subdomains: google fu, dig, nmap, sublist3r, bluto, crt.sh
fingerprinting: nmap, wappalyzer, whatweb, builtwith, netcat (what's running?)
data breaches: haveibeenpwnd, breach-parse, weleakinfo (most common way to enter a network)
even if the customer is providing an ip, you should check it, otherwise you could attack the wrong person
(read the program details before attacking)
can also help to find leads
https://hunter.io/ (25 free monthly searches)
discover the pattern when you check tesla.com
{f}{last}@tesla.com
export in csv
https://clearbit.com/resources/tools/connect (chrome extension, 100 emails per month)
https://www.voilanorbert.com/ (50 for free)
- google search: who is in this role at the company?
- phonebook.cz or hunter.io to understand the email pattern
- https://tools.emailhippo.com/ or https://email-checker.net/ to verify email without having to interact with the email owner (sometimes you can get false positives)
forgot password is not to be underestimated
on google, [email protected]
welcome after entering an email means we have a valid email address
try another method,
get an email: h••••@tc•••••.com (proof of a link between two pieces of data)
go to https://github.com/hmaverickadams/breach-parse
the torrent is 44gb
run ./breach-parse.sh @tesla.com tesla.txt
3 files: tesla-master, tesla-passwords, tesla-users
some people are using their company emails for accessing online services
credential stuffing
look for repeating offenders, someone is appearing twice, with a similar password
test different casing since he's modifying a little bit the case from one password to another
websites can change, the methodology will remain the same
https://www.dehashed.com/ (costly)
we can search by many fields (password, username, ip)
if the password is specific enough and used is various accounts, we might get access to one of his accounts
being to be able to relate
@tesla.com, look for interesting things, link an account to another, find patterns
search by password: tesla.com, mail.ru, dropbox, same user
combine operators to find a specific person
hashes.org closed
use https://hashmob.net/search
you can also search the hash on google
you need to have a complete representation of what you're trying to enter: don't limit yourself to the main entrance, you can have many subdomains to explore
sublist3r
apt install sublist3r
you need to have a virustotal api key aboul3la/Sublist3r#194
sublist3r -d tesla.com -t 100 (to have more threads)
https://crt.sh/ as an alternative
search for %.tesla.comyou look for dev/sso/api-toolbox
you look for any indication of tools they may use internally
you can also explore sub sub domains
87 subdomains
https://github.com/owasp-amass/amass is a very popular tool written in go
docker run -v OUTPUT_DIR_PATH:/.config/amass/ caffix/amass enum -d tesla.com
https://github.com/tomnomnom/httprobe check if your findings are working
look at the frameworks and cms
drupal, php
we sometimes have the version number
great way to try known security vulnerabilities
whatweb https://tesla.com
drupal 8
php 7.3.7
headers
combine sources to gather more info
burp suite community edition is included
temp project > start
firefox: preferences > connection settings > manual proxy configuration
http proxy: 127.0.0.1 on port 8080
check use this proxy server for all protocols
https://burp in a new tab, allow the certificate (save the file)
firefox: references > privacy & security > certificates > click on view certificates
import the downloaded file, check the two checkboxes and click ok
burp will intercept the queries you receive and log them
click forward to pass them
response with php version and drupal version, a server name
burp pro to automatically scan for vulnerabilities
being good at google will be super useful!
https://ahrefs.com/blog/google-advanced-search-operators/
site:tesla.comsite:tesla.com -wwwsite:tesla.com -www -shopsite:tesla.com filetype:docxsite:tesla.com filetype:pdf
looking for sensitive files sometimes you can find a backup file with credentials
linkedin, twitter images with employee photos look at the photo tab on facebook pages sometimes a badge is showing
linkedin is great to find the people use a peeping account you have the email pattern write a script to scrape the names from linkedin and generate email addresses people are always the weakest point of an organization weak password somewhere
keep repeating this kind of reco, you will get good at it
OSINT fundamentals 9h