📆 Join Us Every Wednesday at 9:00PM ET (see our latest events on LinkedIn)
Introduction
As most in the industry would tell you, the reconnaissance and fingerprinting process is really the make-or-break time in most engagements. You’ve got to sneak around like a ninja and gather as much information as possible without setting off any alarms in order to formulate what would be a malicious actor’s (and your) most likely course of action.
The majority of the tools in on this page can be leveraged and practiced with minimal or no setup. At most you may find a Kali Linux VM or WSL helpful.
Illustrated Overview
/w=3840,quality=80,fit=scale-down)
Organizational Reconnaissance (Technical)
Amass
OWASP AMASS is a great free and open source tool for conducting reconnaissance. While it ‘can’ do lots of things I tend to use it primarily for subdomain discovery. It can be run on Windows or Linux but it is likely easiest on Linux. Be patient, this can take several minutes to finish.
sudo apt-get install amassamass enum -d [domain]
Crt.sh
This is a free and very simple tool which will analyze the TLS certificate of an externally accessible website and then search for other instances that certificate is being used. Essentially it looks for wild card certificates to find subdomains. This is a fundamentally different method than is used by Amass so there is a benefit in using both.
SecurityTrails
SecurityTrails provides insight into subdomains, historical data and DNS records for a given domain. SecurityTrails provides a lot of great technical insight and data in one location. Pairing this with other tools such as Amass and Crt.sh ensures that all subdomains are captured and validated.
Dorker.py
Google Dorking is a great way to search for unintended information disclosure by leveraging the regular expressions in google. There is a whole database of ‘dorks’ which can be found here: Google Hacking Database (GHDB) - Google Dorks, OSINT, Recon (exploit-db.com). Dorker.py is a simple python script which will automate several high-quality dorks to speed up the reconnaissance process. Currently this will search for:
Exposed Documents Directory Listings Configuration Files Log files Database Files SQL and PHP errors Mentions on Github, Stackoverflow, and paste sites subdomains and sub-subdomains Exposed S3 buckets AWS files
git clone https://github.com/GoVanguard/pentest-scriptspython3 dorker.py --files [target file.txt]
SecretScanner.sh / SecretSearcher.py
These are very useful tools which will analyze code that you provide and search for any hardcoded credentials, secrets, or API keys by searching for common strings.
git clone https://github.com/GoVanguard/SecretScanner./ searchTexts.sh [target directory] 
Shodan
Shodan.io is a very powerful OSINT tool for collecting information on specific targets or technologies. It constantly scans and catalogs the internet and allows users to gather a significant amount of information without having to actively interact with the target website. This is a great starting point to determine open ports and services, associated technologies, and registration information. You can make an account and pay to get an API key but it is a bit pricy when it isn’t on sale. The basic functions can be used for free.
pyShodan
This is a handy Python 3 script for interacting with Shodan API. There are three modes of operation: making an API query for a search term, a single IP address, or for a list of IP addresses in a .txt file. This is useful when you want to gather information on many endpoints but don’t want to use active means like nmap.
GrayHatWarfare
This is an awesome tool to identify exposed cloud assets, especially AWS S3 buckets and Azure Blobs. There is a lot you can do here, especially with an account and the API but the basic searching functionality is available without an account.
Organizational Reconnaissance (Personnel)
LinkedIn2Username
LinkedIn2Username is a tool that scrapes a company’s public LinkedIn profile and creates typical email structures that are most common. Typical email structures can include [email protected] or even first name initial, last name, and the domain name. LinkedIn2Username is a great FIRST step in aggregating data. What LinkedIn2Username does NOT do is validate emails for accuracy. Thus using other tools, such as the ones listed below, are necessary to ensure that the emails are validated for accuracy.
GitHub - initstring/linkedin2username: OSINT Tool: Generate username lists for companies on LinkedIn
Skrapp.io
Skrapp.io is a tool that can not only find emails in bulk but can also validate emails for accuracy. Finding emails can be as easy as simply entering the company name. The more information that is provided, though, will produce more accurate results. Skrapp.io does also have an upload function whereby a CSV can be ported in for a bulk email find or validation. This tool, paired with LinkedIn2Username is a great way to validate and aggregate many emails for an organization. This tool has a pay-by-email model, however, the results are highly accurate making this a fantastic tool to have (also cheaper than most others).
Hunter.io
Hunter.io is another incredibly powerful email verification and aggregation-based tool. Hunter.io enables a company search that will pull emails as well as provide the most common orientation/structure of the domain.
VoilaNorbert
VoilaNorbert is another example of a very powerful email validation tool. This tool can be used to find emails in bulk; however its real power is in the validation.
TruePeopleSearch
TruePeopleSearch is a free person search that will pull certain information such as phone numbers, relatives, addresses, and age among other items of information. This tool can be helpful in identifying phone numbers for use during Smishing or Vishing campaigns. The one drawback is that it is not entirely accurate. The use of other tools and intuition is important to use in tandem with TruePeopleSearch. Important - use truepeoplesearch.com
Threat Intelligence
VirusTotal
This is a very well known tool for suspicious URL and malware analysis. There are a few good use cases here such as checking if your custom payload will be flagged as malicious prior to launching an attack; but in a reconnaissance setting the URL analysis can be really helpful. This will search their threat intelligence community database and let you know if any other security vendors have flagged that site as malicious, and if so, why.
AlienVault OTX
This is a very similar tool to VirusTotal, infact, the AlienVault database is actually one of the major sources that VirusTotal pulls from to provide information. The difference is AlienVault is a free and open source repository of threat intelligence. There are a lot of functions which can be used with the API but even without an account you can make url searches to corroborate the information from VirusTotal.
Criminalip.io
This is a really cool domain search tool which will provide a lot of information about the targets technology stack, as well as assess how suspicious the website is based on how it has been put together. Criminal IP also has other tools such as an asset search, image search, and eve an exploit search function.
