Two main facets of recon: Organisational and technical.
Gathering can be done passively or actively.
Create Sockpuppet / alias site:hackdefense.com filetype:pdf
searchterm site:example.com
Search for specific string Get IP Adresses of a domain name
Check who owns the IP, where is it hosted?
Check spf, dkim, dmarc etc Discovering email adresses or pattern theHarvester -d <DOMAIN> -b google -l 500
whatsmyname -u <USERNAME>
Hunting passwords and credentials ./breach-parse.sh @<DOMAIN> password.txt
Query without API keys against local breachcompilation h8mail -t <EMAIL> -bc "/opt/breach-parse/BreachCompilation/" -sk
Leaked credentials on github gitleaks --repo-url=<GIT REPO URL> -v
Hunting for personal information phoneinfoga scan -n <COUNTRYCODE><PHONENUMBER>
Check old versions of the website / files Hunt domains connected to Azure tenant CHAOS - Project Discovery chaos -d <DOMAIN> -silent
amass enum -d example.com
sublister -domain <DOMAIN>
python3 dnsrecon.py -d <DOMAIN>
gobuster dns -d <target domain> -w <wordlist>
Discover Website Technologies Identifying Geographical Locations
Twitter
twint -u <USER> -s <STRING>
Traditional host discovery still applies
After host discovery resolve all names, then perforn whois lookups to determine where are they hosted.
Microsoft, Amazon, Google IP space usually indicates cloud service usage.
Check MX records. These can show cloud-hosted mail providers
Azure Netblocks
AWS Netblocks
GCP Netblocks
cat iplist.txt | python ip2provider.py
Add domain to following url, if exists there is a tenant:
https://login.microsoftonline.com/<TARGET DOMAIN>/v2.0/.well-known/openid-configuration
Check if any resources are being loaded from S3 buckets
Using burp, navigate the webapp and check for any calls to https://[bucketname].s3.amazonaws.com or • https://s3-[region].amazonaws.com/[Org Name]
Enumerate public resources
Possible to use multiple -k keywords.
python3 cloud_enum.py -k <KEYWORD>
Check if tenant is in use and if fedaration is in use.
Federation with Azure AD or O365 enables users to authenticate using on-premises credentials and access all resources in cloud.
https://login.microsoftonline.com/getuserrealm.srf?login=<USER>@<DOMAIN>&xml=1
https://login.microsoftonline.com/<DOMAIN>/.well-known/openid-configuration
Import the AADinternals module import-module .\AADInternals.psd1
Get all the information of the tenant Invoke-AADIntReconAsOutsider -DomainName <DOMAIN>
Get tenant name, authentication, brand name (usually same as directory name) and domain name Get-AADIntLoginInformation -UserName <RANDOM USER>@<DOMAIN>
Get-AADIntTenantID -Domain <DOMAIN>
Get-AADIntTenantDomains -Domain <DOMAIN>
Browse to URL https://login.microsoftonline.com/?whr=<DOMAIN> and replace <DOMAIN> with company domain
Check if user(s) exists in tenant
There are three different enumeration methods to choose from:
Normal - This refers to the GetCredentialType API mentioned above. The default method.
Login - This method tries to log in as the user.
OPSEC: queries will be logged to sign-ins log.
Autologon - This method tries to log in as the user via autologon endpoint.
Queries are not logged to sign-ins log! As such, works well also for password spray and brute-force attacks.
Invoke-AADIntUserEnumerationAsOutsider -UserName <USER UPN>
Get-Content .\users.txt | Invoke-AADIntUserEnumerationAsOutsider -Method Normal
Enumerate Azure subdomains Import-Module MicroBurst.psm1 -Verbose
Invoke-EnumerateAzureSubDomains -Base <SHORT DOMAIN NAME> -Verbose
Add permutations to permutations.txt like common, backup, code in the misc directory.
Import-Module ./Microburst.psm1
Invoke-EnumerateAzureBlobs -Base <SHORT DOMAIN> -OutputFile azureblobs.txt
python3 oh365userfinder.py -r emails.txt -w valid.txt -t 30
#!/bin/bash
domain=$1
RED="\033[1;31m"
RESET="\033[0m"
info_path=$domain/info
subdomain_path=$domain/subdomains
screenshot_path=$domain/screenshots
if [ ! -d "$domain" ];then
mkdir $domain
fi
if [ ! -d "$info_path" ];then
mkdir $info_path
fi
if [ ! -d "$subdomain_path" ];then
mkdir $subdomain_path
fi
if [ ! -d "$screenshot_path" ];then
mkdir $screenshot_path
fi
echo -e "${RED} [+] Checkin' who it is...${RESET}"
whois $1 > $info_path/whois.txt
echo -e "${RED} [+] Launching subfinder...${RESET}"
subfinder -d $domain > $subdomain_path/found.txt
echo -e "${RED} [+] Running assetfinder...${RESET}"
assetfinder $domain | grep $domain >> $subdomain_path/found.txt
#echo -e "${RED} [+] Running Amass. This could take a while...${RESET}"
#amass enum -d $domain >> $subdomain_path/found.txt
echo -e "${RED} [+] Checking what's alive...${RESET}"
cat $subdomain_path/found.txt | grep $domain | sort -u | httprobe -prefer-https | grep https | sed 's/https\?:\/\///' | tee -a $subdomain_path/alive.txt
echo -e "${RED} [+] Taking dem screenshotz...${RESET}"
gowitness file -f $subdomain_path/alive.txt -P $screenshot_path/ --no-http