Information Gathering & Reconnaissance

Target Organization: XYZTelecom (Hypothetical)

Objective: Conduct passive reconnaissance using OSINT techniques.

Step 1: Define Scope & Rules of Engagement

  • Use only publicly available data (OSINT).

  • No active scanning or exploitation.

  • Focus on passive reconnaissance techniques.

Phase 1: Open-Source Intelligence (OSINT) Gathering

Step 2: Identify Basic Information

  • Website & Domain:

    • Example: https://www.XYZTelecom.com

    • Check robots.txt for restrictions.

    • Analyze source code for hidden comments, API keys.

  • WHOIS Lookup:

    • Tool: WHOIS Lookup

    • Command:

      whois XYZTelecom

    • Extract Details:

      • Registrar name

      • Creation & expiration date

      • Contact emails (if visible)

Step 3: Collect Employee & Email Information

  • Google Dorking:

    • Example Queries:

      site:XYZTelecom.com filetype:pdf
site:XYZTelecom.com intitle:index.of
site:linkedin.com/in "XYZTelecom"

  • LinkedIn Scraping:

    • Tool: theHarvester

    • Command:

      theHarvester -d XYZTelecom.com -b linkedin

  • Email Permutations:

    • Use Hunter.io to find email patterns.

    • Example format: firstname.lastname@XYZTelecom.com

Step 4: DNS & Subdomain Enumeration

  • Find subdomains:

    • Tools: Sublist3r, Amass, crt.sh

    • Command:

      sublist3r -d XYZTelecom.com

  • Extract DNS records:

    • Tool: dig

    • Command:

      dig XYZTelecom.com ANY

Phase 2: Infrastructure & Technology Stack Analysis

Step 5: Analyze Website & Hosting

Step 6: Identify Publicly Exposed Services

  • Shodan Search:

    • Query:

      hostname:XYZTelecom.com

    • Look for:

      • Open SSH, FTP, RDP, database ports

      • Outdated software versions

  • Cloud Storage Misconfigurations:

    • Google Dorking:

      site:s3.amazonaws.com "XYZTelecom"

Phase 3: Social Engineering Research

  • Identify potential phishing attack vectors.

  • Check for leaked credentials on haveibeenpwned.com.

Final Report & Documentation

Key Findings

  • AcmeCorp uses WordPress with outdated plugins.

  • Employee emails follow first.last@XYZTelecom.com format.

  • Exposed subdomain: vpn.XYZTelecom.com.

  • Shodan reveals an exposed database server (security risk).

Recommendations

  • Enforce strong password policies.

  • Update and secure outdated software.

  • Restrict publicly exposed services.

  • Educate employees on phishing risks.

PreviousEthical Hacking Lab Setup GuideNextSocial Engineering Attack Report