External Recon

What are we looking for?

• IP space

• Domain Information: By analyzing IP data, DNS records, and site registrations, our objective is to identify who administers the domain? are there any subdomains tied to our target? are there any publicly accessible domain services present? (DNS, VPN portals, Mailservers, etc), can we locate any defences that may be in place

• Schema format: Can we uncover the organization's email accounts, Active Directory (AD) usernames, and password policies? This information is vital for constructing a valid username list to conduct tests like password spraying, credential stuffing, and brute force attacks on external-facing services.

• Data Disclosures: We'll search for publicly accessible files (.pdf, .ppt, .docx, .xlsx, etc.) to uncover information about the target, including intranet site listings, user metadata, shares, and critical software/hardware details. Examples include credentials in public GitHub repos or internal AD username formats in PDF metadata.

• Breach Data: Refers to publicly released usernames, passwords, or other critical information that could provide an attacker with a foothold

where are we looking

• ASN / IP registers:

1. https://www.iana.org/

2. https://www.arin.net/ (for searching the America's)

3. https://www.ripe.net/ (for searching in Europe)

4. https://bgp.he.net/

• Domain Registrars and DNS:

1. https://www.domaintools.com/

2. http://ptrarchive.com/

3. https://lookup.icann.org/lookup

• Social Media

• Public-Facing company Websites

1. "About Us"

2. "Contact Us"

• Cloud and DEV storage spaces

1. Github

2. AWS S3 buckets

3. Azure blog storage containers, google dorking

• Breach Data Sources

1. https://haveibeenpwned.com/

2. https://www.dehashed.com/

3. https://github.com/hmaverickadams/breach-parse

• DNS

1. https://whois.domaintools.com/

2. https://viewdns.info/

3. dig

4. nslookup

Hunting E-mail addresses, usernames, credentials