(OSINT) Passive Enumeration
export TARGET=
#Information Gathering by using crt.sh
Intrusionz3r0X@htb[/htb]$ curl -s 'https://crt.sh/?q=compucloud.com.mx&output=json' | jq .
#Subdomain enumeration by using crt.sh
Intrusionz3r0X@htb[/htb]$ curl -s 'https://crt.sh/?q=compucloud.com.mx&output=json'| jq . | grep name | cut -d":" -f2 | grep -v "CN=" | cut -d'"' -f2 | awk '{gsub(/\\n/,"\n");}1;' | sort -u > subdomainlist
Intrusionz3r0X@htb[/htb]$ for i in $(cat subdomainlist);do host $i | grep "has address" | cut -d" " -f1,4;done
#Manual DNS enumeration
Intrusionz3r0X@htb[/htb]$ openssl s_client -ign_eof 2>/dev/null <<<$'HEAD / HTTP/1.0\r\n\r' -connect "facebook.com:443" | openssl x509 -noout -text | grep 'DNS' | sed -e 's|DNS:|\n|g' -e 's|^\*.*||g' | tr -d ',' | sort -u
#Extract the host from dns
Intrusionz3r0X@htb[/htb]$ for i in $(cat subdomainlist | grep -v "*"); do host $i | grep "has address" | sort -u | cut -d " " -f1,4;done
#Grep for IPs
Intrusionz3r0X@htb[/htb]$ for i in $(cat subdomainlist | grep -v "*");do host $i | grep "has address" | cut -d" " -f4 >> ip-addresses.txt;done
#Initializating Shodan tool
Intrusionz3r0X@htb[/htb]$ shodan init <api-key>
# Scan using Shodan
Intrusionz3r0X@htb[/htb]$ for i in $(cat ip-addresses.txt);do shodan host $i;done
#Fetch all the URLs that the Wayback Machine knows about for a domain
Intrusionz3r0X@htb[/htb]$ waybackurls -dates https://facebook.com > waybackurls.txtAutomating Passive Subdomain Enumeration
Passive Enumeration Resources:
Netcraft | Leader in Phishing Detection, Cybercrime Disruption and Website Takedown
https://github.com/tomnomnom/waybackurls
Finding information about Cloud Providers
Google Search for AWS resources
Google Search for Azure
Target Website - Source Code
Domain DNS Record and WHOIS Information
Public Buckets by GrayhatWarfare
Finding information about the company
Use LinkedIn to find information about the technology, infrastructure, programming languages, or software the company is using.
Github