mindmap
root((OSINT))
Google dorks
Potential vulnerablities
Misconfigurations
New potential targets & Connected domains
IP Address Enumeration
Target network IP ranges
Validate identified IP range - Internet registries
Use DNS to extract hostnames and additional interesting host
Map target’s online network presence to simulate similar IP registrars
WHOIS
Nameservers
IP Blocks
Registrant
Registration details
SHODAN
IPs
Services
Devices
Vulnerabilities
DNS/Subdomain Enumeration
Subdomain extraction
Breach data
Emails - EML
Logins
Passwords
Leaked data
Social Media
Company mission
Events
Contacts
Backend infrastructure
Financial & Business information
Vendor relations
Internal Documents
<aside> <img src="/icons/light-bulb_gray.svg" alt="/icons/light-bulb_gray.svg" width="40px" />
Checkout the methodology on right menu
</aside>
<aside> <img src="/icons/fireworks_gray.svg" alt="/icons/fireworks_gray.svg" width="40px" />
The goal is to find the most useful information as we can. To do that we can use many tools & services.
</aside>
graph LR
A[Find the IP Address & IP Address blocks] --> B[Find domains]
B --> C[Find subdomains]
C --> D[Enumerate services]
D --> E[Check the breached data]
E --> F[Enumerate social media]
Killchain that I personally prefer is: Google Dorks for finding the initial domains, subdomains, contact information & everything useful. Next step is to utilize IP Address Enumeration, WHOIS & Shodan for gathering information about IP Addresses & services.
This step is very important because it will help later to simulate similar IP registrars.
We have now information about target, domains & some subdomains but it’s not enough, domain can have hundreds of the subdomains that is why we must enumerate further. Tools & approach described in DNS/Subdomain Enumeration can be useful. Remember that sometimes if you find a vulnerability it’s a quick way to access the company internal network, that is why remember about Shodan & DNS/Subdomain Enumeration steps.
<aside> <img src="/icons/user_gray.svg" alt="/icons/user_gray.svg" width="40px" />
REMEMBER THAT GOOGLE DORKS & SHODAN ARE USEFUL IN EVERY NEXT STEP OF OSINT
</aside>
When it’s completed we should enumerate Breach data. What can we find? Employee emails, logins, passwords & api keys to services, private notes of the employees, interesting data leaks and so on… intelx is **awesome** btw
One of the last steps is to check Social media . A lot of companies creates for employees events, actions & they share information about sponsors or partners. It can be useful for later steps when we are preparing social engineering campaign or just need some intel.
What i described upwards can be automated with programming languages, but tbh. what are options available on the internet. I think the best answer that utilizes a lot of tools and OSINT techniques is BBot. ****But be careful with that, it does not have to be passive.
Checkout the repo below: