(OSINT) Passive Enumeration

export TARGET=

#Information Gathering by using crt.sh
Intrusionz3r0X@htb[/htb]$ curl -s 'https://crt.sh/?q=compucloud.com.mx&output=json' | jq .

#Subdomain enumeration by using crt.sh
Intrusionz3r0X@htb[/htb]$ curl -s 'https://crt.sh/?q=compucloud.com.mx&output=json'| jq . | grep name | cut -d":" -f2 | grep -v "CN=" | cut -d'"' -f2 | awk '{gsub(/\\n/,"\n");}1;' | sort -u > subdomainlist

Intrusionz3r0X@htb[/htb]$ for i in $(cat subdomainlist);do host $i | grep "has address" | cut -d" " -f1,4;done 

#Manual DNS enumeration
Intrusionz3r0X@htb[/htb]$ openssl s_client -ign_eof 2>/dev/null <<<$'HEAD / HTTP/1.0\r\n\r' -connect "facebook.com:443" | openssl x509 -noout -text | grep 'DNS' | sed -e 's|DNS:|\n|g' -e 's|^\*.*||g' | tr -d ',' | sort -u

#Extract the host from dns
Intrusionz3r0X@htb[/htb]$ for i in $(cat subdomainlist | grep -v "*"); do host $i | grep "has address" | sort -u  | cut -d " " -f1,4;done

#Grep for IPs
Intrusionz3r0X@htb[/htb]$ for i in $(cat subdomainlist | grep -v "*");do host $i | grep "has address" | cut -d" " -f4 >> ip-addresses.txt;done

#Initializating Shodan tool
Intrusionz3r0X@htb[/htb]$ shodan init <api-key>

# Scan using Shodan
Intrusionz3r0X@htb[/htb]$ for i in $(cat ip-addresses.txt);do shodan host $i;done

#Fetch all the URLs that the Wayback Machine knows about for a domain
Intrusionz3r0X@htb[/htb]$ waybackurls -dates https://facebook.com > waybackurls.txt

Automating Passive Subdomain Enumeration

Intrusionz3r0X@htb[/htb]$ cat sources.txt

baidu
bufferoverun
crtsh
hackertarget
otx
projectdiscovery
rapiddns
sublist3r
threatcrowd
trello
urlscan
vhost
virustotal
zoomeye

Intrusionz3r0X@htb[/htb]$ export TARGET="compucloud.com.mx"
Intrusionz3r0X@htb[/htb]$ cat sources.txt | while read source; do theHarvester -d "${TARGET}" -b $source -f "${source}_${TARGET}";done
Intrusionz3r0X@htb[/htb]$ cat *.json | jq -r '.hosts[]' 2>/dev/null | cut -d':' -f 1 | sort -u > "${TARGET}_theHarvester.txt"

Passive Enumeration Resources:

OSINT Framework

crt.sh | Certificate Search

Netcraft | Leader in Phishing Detection, Cybercrime Disruption and Website Takedown

Wayback Machine

https://github.com/tomnomnom/waybackurls

Finding information about Cloud Providers

Google Search for AWS resources

Google Search for Azure

Target Website - Source Code

Domain DNS Record and WHOIS Information

Public Buckets by GrayhatWarfare

Finding information about the company

• Use LinkedIn to find information about the technology, infrastructure, programming languages, or software the company is using.

Required Skills/Knowledge/Experience:

* 3-10+ years of experience on professional software development projects.

« An active US Government TS/SCI Security Clearance (current SSBI) or eligibility to obtain TS/SCI within nine months.
« Bachelor's degree in computer science/computer engineering with an engineering/math focus or another equivalent field of discipline.
« Experience with one or more object-oriented languages (e.g., Java, C#, C++).
« Experience with one or more scripting languages (e.g., Python, Ruby, PHP, Perl).
« Experience using SQL databases (e.g., PostgreSQL, MySQL, SQL Server, Oracle).
« Experience using ORM frameworks (e.g., SQLAIchemy, Hibernate, Entity Framework).
« Experience using Web frameworks (e.g., Flask, Django, Spring, ASP.NET MVC).
« Proficient with unit testing and test frameworks (e.g., pytest, JUnit, NUnit, xUnit).
« Service-Oriented Architecture (SOA)/microservices & RESTful API design/implementation.
« Familiar and comfortable with Agile Development Processes.
« Familiar and comfortable with Continuous Integration environments.
« Experience with version control systems (e.g., Git, SVN, Mercurial, Perforce).

Desired Skills/Knowledge/ Experience:

« CompTIA Security+ certification (or equivalent).
« Experience with Atlassian suite (Confluence, Jira, Bitbucket).
« Algorithm Development (e.g., Image Processing algorithms).
« Software security.
« Containerization and container orchestration (Docker, Kubernetes, etc.)
« Redis.
« NumPy.

• Github