- Depending on the organization's security needs, does it "leak" any sensitive information online (location, staff identities, program locations?)
- Can you identify partners or beneficiaries through the organizations sites?
- What is the pattern for staff e-mail addresses?
- Have any of the organization's servers, users, or e-mail accounts been compromised in the past?
- Are executive / staff social media accounts in scope, and if so, are they compliant with the organizational social media policies? What additional threats do they introduce?
- While this does not focus on identifying of vulnerabilities, it may nonetheless expose certain threats, particularly with regard to publicly-accessible information that is presumed to be confidential, such as the identity of sensitive staff, the existence of sensitive partner- and funder-relationships, or the organization’s history of participation in sensitive events or travel to sensitive locations.
- does not require privileged access to the organization's offices, infrastructure or staff;
- relies primarily on third-party data sources and observation and light probing of the organization’s infrastructure;
- can generally be carried out from any secure Internet connection.
- Dossier of organizational, partner, and beneficiary "open sources" information exposed online.
- A list of e-mail address for members of the organization.
- Identification and mapping of externally facing services and unintentionally exposed internal services.
- Possible vulnerabilities in the websites and externally facing servers of the organization.
- Existing information about earlier breaches identified in the paste-bin search.
- Follow the proper incident response plan if high risk problems are identified.
Manual Reconnaissance_This exercise suggests some targeted online search tools and tricks to gather information leakages from organizations. While many advocacy…
Automated Reconnaisance_This component allows the auditor to quickly identify publicly available resources (such as websites, extranets, email servers, but also…
Website Footprinting_Using online tools as a starting point in assessing the auditee web application is a good way to expand online reconnaisance as well as…
DNS Enumeration_DNS Stands for Domain Name Service. In a nutshell, what it does is translate hosts/computer's name into it's IP addresses. It provides a way…
References and resources for Reconnaissance
- Standard: Intelligence Gathering (The Penetration Testing Execution Standard)
- Guide: "Passive Reconnaissance" (Security Sift)
- Tool: "NameChk account search" (NameChk)
- List: "Open Source Intelligence Links" (Intel Techniques)
- List: "OSINT Tools - Recommendations List Free OSINT Tools." (subliminalhacking.net)
- Guide: "OWASP Testing Guide v4 - Information Gathering" (OWASP)
- Database: "find the email address formats in use at thousands of companies." (Email Format)
- Online Courses: Power Searching and Advanced Power Searching online courses (Power Searching With Google)
- Online Course: Advanced Power Searching By Skill (Power Searching With Google)
- Cheat Sheet: Google Search Operators (Google Support)
- Cheat Sheet: Google Hacking and Defense Cheat Sheet (SANS)
- Cheat Sheet: Google Searchable Filetypes (Google Support)
- Cheat Sheet: Google Search Punctuation Operators (Google Support)
- Cheat Sheet: Google Power Searching Quick Reference Guide (Power Searching With Google)
- Database: Google Hacking Database (Exploit Database)
- Article: "Using Pastebin Sites for Pen Testing Reconnaissance" (Lenny Zeltser)
- Custom Search "This custom search page indexes 80 Paste Sites:" (Intel Techniques)
- Article "Pastebin: How a popular code-sharing site became the ultimate hacker hangout" (Matt Brian)
- Advanced Search "Github Advanced Search" (Github)
- Site: "Recon-ng: Website" (Bitbu * Guide: [The Recon-ng Frameworkcket)
- Type: "Recon-ng: Usage Guide" (Bitbucket)
- Demonstration: "Look Ma, No Exploits! – The Recon-ng Framework - Tim "LaNMaSteR53" Tomes" (Derbycon 2013)
- Guide: toolsmith guide to Recon-ng
- Video: Tektip ep26 - Information gathering with Recon-ng Video Tutorial
- Guide: The Recon-ng Framework : Automated Information Gathering
- Guide: The Recon-ng Framework : Updated modules
- Blog: Professionally Evil Toolkit - Recon-ng
Open Source Intelligence (General):
Organizational Information Gathering: