Funmibi's Organization
  • NOTES
  • Ethical Hacking Lab Setup Guide
  • Information Gathering & Reconnaissance
  • Social Engineering Attack Report
  • Hash Cracking
  • ChatGPT for Cybersecurity
  • Google Hacking (Google Dorking)
  • Nmap Port Scanning & Vulnerability Assessment
  • Proof-of-Concept Exploit: EternalBlue (MS17-010)
  • Privilege Escalation & Client-Side Exploits
  • Buffer Overflow Vulnerability
  • Windows-Based Buffer Overflow Attack
  • Man-in-the-Middle (MITM) Attack
  • BeEF (Browser Exploitation Framework) Setup & Demonstration
Powered by GitBook
On this page
  • Target Organization: XYZTelecom (Hypothetical)
  • Step 1: Define Scope & Rules of Engagement
  • Phase 1: Open-Source Intelligence (OSINT) Gathering
  • Step 2: Identify Basic Information
  • Step 3: Collect Employee & Email Information
  • Step 4: DNS & Subdomain Enumeration
  • Phase 2: Infrastructure & Technology Stack Analysis
  • Step 5: Analyze Website & Hosting
  • Step 6: Identify Publicly Exposed Services
  • Phase 3: Social Engineering Research
  • Final Report & Documentation
  • Key Findings
  • Recommendations

Information Gathering & Reconnaissance

PreviousEthical Hacking Lab Setup GuideNextSocial Engineering Attack Report

Target Organization: XYZTelecom (Hypothetical)

Objective: Conduct passive reconnaissance using OSINT techniques.

Step 1: Define Scope & Rules of Engagement

  • Use only publicly available data (OSINT).

  • No active scanning or exploitation.

  • Focus on passive reconnaissance techniques.

Phase 1: Open-Source Intelligence (OSINT) Gathering

Step 2: Identify Basic Information

  • Website & Domain:

    • Example: https://www.XYZTelecom.com

    • Check robots.txt for restrictions.

    • Analyze source code for hidden comments, API keys.

  • WHOIS Lookup:

    • Tool:

    • Command:

      whois XYZTelecom

    • Extract Details:

      • Registrar name

      • Creation & expiration date

      • Contact emails (if visible)

Step 3: Collect Employee & Email Information

  • Google Dorking:

    • Example Queries:

      site:XYZTelecom.com filetype:pdf
site:XYZTelecom.com intitle:index.of
site:linkedin.com/in "XYZTelecom"

  • LinkedIn Scraping:

    • Tool: theHarvester

    • Command:

      theHarvester -d XYZTelecom.com -b linkedin

  • Email Permutations:

    • Use Hunter.io to find email patterns.

    • Example format: firstname.lastname@XYZTelecom.com

Step 4: DNS & Subdomain Enumeration

  • Find subdomains:

    • Tools: Sublist3r, Amass, crt.sh

    • Command:

      sublist3r -d XYZTelecom.com

  • Extract DNS records:

    • Tool: dig

    • Command:

      dig XYZTelecom.com ANY

Phase 2: Infrastructure & Technology Stack Analysis

Step 5: Analyze Website & Hosting

  • Wappalyzer Browser Extension

  • WhatWeb CLI Tool:

    whatweb XYZTelecom.com

Step 6: Identify Publicly Exposed Services

  • Shodan Search:

    • Query:

      hostname:XYZTelecom.com

    • Look for:

      • Open SSH, FTP, RDP, database ports

      • Outdated software versions

  • Cloud Storage Misconfigurations:

    • Google Dorking:

      site:s3.amazonaws.com "XYZTelecom"

Phase 3: Social Engineering Research

  • Identify potential phishing attack vectors.

  • Check for leaked credentials on haveibeenpwned.com.

Final Report & Documentation

Key Findings

  • AcmeCorp uses WordPress with outdated plugins.

  • Employee emails follow first.last@XYZTelecom.com format.

  • Exposed subdomain: vpn.XYZTelecom.com.

  • Shodan reveals an exposed database server (security risk).

Recommendations

  • Enforce strong password policies.

  • Update and secure outdated software.

  • Restrict publicly exposed services.

  • Educate employees on phishing risks.

BuiltWith:

WHOIS Lookup
https://builtwith.com/