Mastering Passive Reconnaissance: Top 20 techniques for Ethical Information Gathering (Part 2)

Introduction

In the first installment of this series, we explored the basics of passive reconnaissance, covering domain information, website and infrastructure analysis, and subdomain discovery using a variety of tools and techniques.

We are halfway through our passive recon stages:
:white_check_mark: :globe_with_meridians: Initial Domain Information
:white_check_mark: :wrench: Website and Infrastructure Analysis
:white_check_mark: :link: Subdomains and Related Domains
:white_large_square: :male_detective: Deep OSINT and Data Gathering
:white_large_square: :no_entry_sign: Potential Vulnerabilities and Threats
:white_large_square: :rotating_light: Monitoring and Alerts

In this second blog, we’ll venture further into the realm of passive reconnaissance, employing a new set of tools and techniques. As before, I will be using my own website crushingsecurity.com as my ‘target’ for my examples. Our focus will broaden as we delve into:

:white_large_square: :male_detective: Deep OSINT and Data Gathering: Uncovering hidden details, relationships, and patterns related to our target using open-source intelligence.

:white_large_square: :no_entry_sign: Potential Vulnerabilities and Threats: Assessing weak points and threats with the gathered information, aiming to fortify against malicious actors.

:white_large_square: :rotating_light: Monitoring and Alerts: Exploring tools and techniques for vigilant monitoring and setting up alerts for any changes or suspicious activities.

What will you gain from this second series?

Having traversed the initial stages of passive recon in Blog 1, Part 2 sharpens our toolkit as we delve deeper into advanced OSINT techniques, assess potential vulnerabilities, and set up robust monitoring and alert systems.

Our journey continues as we introduce additional methods and enhance our skills in passive reconnaissance.

Let’s delve into the next stages of our investigation.

Disclaimer: The demonstrations and methodologies illustrated within this blog are intended strictly for educational and informational purposes. Engaging in reconnaissance or penetration testing activities without explicit permission is illegal and strictly prohibited. Legal stipulations regarding scanning and data collection can vary significantly across jurisdictions; therefore, it is imperative that individuals ensure strict adherence to applicable laws and ethical guidelines. Respect for privacy and adherence to legal and ethical boundaries is paramount. Always secure appropriate authorization and operate within the legal and ethical frameworks applicable to your location and the location of the data being analyzed.

:male_detective: Deep OSINT and Data Gathering:

:white_check_mark: :globe_with_meridians: Initial Domain Information
:white_check_mark: :wrench: Website and Infrastructure Analysis
:white_check_mark: :link: Subdomains and Related Domains
:arrow_right: :male_detective: Deep OSINT and Data Gathering
:white_large_square: :no_entry_sign: Potential Vulnerabilities and Threats
:white_large_square: :rotating_light: Monitoring and Alerts

11. ReconNG:

Setting Up and Running the Module

Recon-ng is readily available on Kali OS, making the initiation of our reconnaissance straightforward. By typing recon-ng in the terminal, we enter the framework. A simple help command reveals useful commands, and the marketplace command lists available modules for installation and use.

┌──(env)─(kali㉿kali)-[/tmp/]
└─$ recon-ng 
[recon-ng][default] > help

Commands (type [help|?] <topic>):
---------------------------------
back            Exits the current context
dashboard       Displays a summary of activity
db              Interfaces with the workspace's database
exit            Exits the framework
help            Displays this menu
index           Creates a module index (dev only)
keys            Manages third party resource credentials
marketplace     Interfaces with the module marketplace
modules         Interfaces with installed modules
options         Manages the current context options
pdb             Starts a Python Debugger session (dev only)
script          Records and executes command scripts
shell           Executes shell commands
show            Shows various framework items
snapshots       Manages workspace snapshots
spool           Spools output to a file
workspaces      Manages workspaces


A list of modules that can be installed

11.1 LinkedIn Module

In this section, we’ll begin by focusing on the module: recon/companies-contacts/bing_linkedin_cache . This will gather any potential useful information for our target crushingsecurity.com from LinkedIn.

[recon-ng][default] > marketplace install recon/companies-contacts/bing_linkedin_cache
[recon-ng][default] > modules load recon/companies-contacts/bing_linkedin_cache
[recon-ng][default][bing_linkedin_cache] > keys add bing_api <YOUR_API_KEY>
[*] Key 'bing_api' added.
[recon-ng][default][bing_linkedin_cache] > run

--------------------
CRUSHINGSECURITY.COM
--------------------
[*] Searching Bing API for: site:"linkedin.com/in/" "crushingsecurity.com"
[*] Searching Bing API for: site:"linkedin.com" -jobs "crushingsecurity.com"
[*] Country: None
[*] Email: None
[*] First_Name: Crushing
[*] Last_Name: Post
[*] Middle_Name: Security’s
[*] Notes: None
[*] Phone: None
[*] Region: None
[*] Title: Undetermined
[*] --------------------------------------------------
[*] Category: social
[*] Notes: None
[*] Resource: LinkedIn
[*] Url: https://www.linkedin.com/posts/crushing-security_reflecting-on-my-oscp-journey-from...
[*] Username: crushing-security_reflecting-on-my-oscp-journey-from...
[*] --------------------------------------------------
[*] Country: None
[*] Email: None
[*] First_Name: Crushing
[*] Last_Name: Mobile Trash Compaction
[*] Middle_Name: It
[*] Notes: None
[*] Phone: None
[*] Region: None
[*] Title: Undetermined
[*] --------------------------------------------------
...

:bar_chart: Findings:

The bing_linkedin_cache module provided a variety of results including intriguing LinkedIn posts and a company page related to crushingsecurity.com.

  • LinkedIn Blog Post: One of the URLs led to a LinkedIn blog post, reflecting on an OSCP journey, potentially by an employee or the owner of Crushing Security.
  • Company Page: The LinkedIn company page provides insight into Crushing Security’s mission and operations.

Searching the blog in LinkedIn leads directly to the post

A deeper exploration into the LinkedIn page of Crushing Security reveals a wealth of information which could be pivotal in understanding the persona and operations of the entity behind crushingsecurity.com . While this entails navigating LinkedIn, it’s still considered passive reconnaissance since we’re not interacting directly with the target system.

Viewing the company page whilst not being logged in

:thinking: Insights from the Findings:

  • Networking Insights: The LinkedIn profiles and posts could help in identifying employees or associates. The post about the OSCP journey indicates a culture of continuous learning within the organization.

  • Operational Insights: The company page on LinkedIn reveals some aspects of Crushing Security’s mission and operations. It seems like Crushing Security is a small entity with a possible key employee named Steve. The size of the company may suggest a more personalized approach to their services, which could be appealing to potential clients.

  • Community Engagement: The LinkedIn presence shows a level of community engagement, especially through sharing experiences like the OSCP journey. This engagement can help in building trust and establishing authority in the field.

  • Potential Leads: The LinkedIn profiles, posts, and company page serve as leads for further investigation. Following the digital trail of individuals associated with Crushing Security on LinkedIn might provide more information about the company’s projects, clients, and operational duties.

  • Platform for Further Engagement: LinkedIn, being a professional network, could serve as a platform for further engagement. It could be a starting point for reaching out to identified individuals for more information, under a pretext or openly, depending on the investigation strategy.

11.2 Github Miner Module

Next we will explore the Recon-ng github_miner module.

Setting Up and Running the Module

After loading and running the github_miner module in Recon-ng with the target set as “Crushing Security”, a public repository titled “Crushing-Security-Community” was discovered. This repository is a collaborative space for the Crushing Security community, as indicated by its description.

[recon-ng][default] > modules load recon/companies-multi/github_miner
[recon-ng][default][github_miner] > options set SOURCE Crushing-Security
SOURCE => Crushing-Security
[recon-ng][default][github_miner] > run

-----------------
CRUSHING-SECURITY
-----------------
[*] Category: repo
[*] Description: Public repo for crushing security community collaboration 
[*] Name: Crushing-Security-Community
[*] Notes: None
[*] Owner: crushing-security
[*] Resource: Github
[*] Url: https://github.com/crushing-security/Crushing-Security-Community
[*] --------------------------------------------------

-------
SUMMARY
-------
[*] 1 total (0 new) repositories found.
[recon-ng][default][github_miner] > 

Following this we can navigate to the URL to gather further information on the company.

:bar_chart: Findings:

The Crushing-Security-Community repo contains various resources and guidelines for cybersecurity enthusiasts. Two contributors, CrushingSecurity and steve-emerson-github, have been active on this repo. Notably, the repo contains lists of cybersecurity tools, educational resources, and a space for community contributions.

:thinking: Insights from the Findings:

  • Community Collaboration: The repo serves as a platform for collaborative learning and sharing within the Crushing Security community.
  • Active Contributors: The activity of contributors, especially steve-emerson-github, aligns with the passive recon findings from LinkedIn, further corroborating the presence of a person named Steve in Crushing Security, now it also looks we have the employees surname.
  • Educational Focus: The numerous educational resources hint at a strong focus on continuous learning and community education, reinforcing the insights gathered from LinkedIn.

12. Maltego

Maltego is a powerful tool that allows us to visualize the relationships between various entities and data points. Maltego, with its graphical link analysis, empowers us to traverse a target’s digital footprint interactively. In this segment, we unravel the findings from a Maltego investigation, aimed at both validating and enriching our preliminary reconnaissance we discovered in Blog 1.

:wrench: Getting Started with Maltego:

Note: We will not go too deep on maltego as this blog is based on brief passive reconnaisane techniques, maltego could have a whole dedicated blog in itself. But a brief initial description of steps to get setup is:

  1. Installation: Download and install Maltego from the official website: Maltego Download Page.
  2. Creating a New Project: Launch Maltego and create a new project by navigating to File > New, and fill in the necessary details.
  3. Setting Up Transforms: Set up the transforms based on your investigation needs. Transforms are scripts that determine how data is gathered and displayed in Maltego.

12.1 Maltego: Visualizing Domain Relationships

We will start by using Maltego to gather information on the target domain.

:bar_chart: Findings:

:thinking: Insights from the Findings:

  • As detailed in the above image, you can see a visualization of the results from our passive domain reconnaissance. This reinforces the discoveries from our subdomain enumeration in Blog 1. This method not only streamlined the retrieval of vital information but presented it in an easily digestible format.

12.2 Maltego: Uncovering Web Technologies

Employing Maltego, we can extend our investigation into the web technologies underpinning crushingsecurity.com .
Leveraging BuiltWith transforms within Maltego, we were able to discern the following technologies:

:bar_chart: Findings:

:thinking: Insights from the Findings:
These findings not only validate but enrich the initial data from Blog 1. For instance, the use of reputable hosting providers like Cloudflare and Oracle Cloud suggests a level of operational maturity. Similarly, the diverse mobile compatibility indicates a user-centric approach to web design, ensuring accessibility across various devices.

These technical insights could prove pivotal in understanding the digital posture of crushingsecurity.com, providing a solid base for further, more targeted investigations.

13. Discovering Public Information with theHarvester

For our next tool we will utilise theHarvester, a tool that can be adeptly used to gather public information (emails, subdomains, hosts, employee details, and open ports) about a target from different public data sources.

:hammer_and_wrench: Setup & Execution
I installed this on Kali Linux VM with the following command:

sudo apt install theharvester

Once installed, I ran the following command: theHarvester -d crushingsecurity.com -b bing,dnsdumpster,threatminer,yahoo

This simple command line initiated theHarvester to gather information about the crushingsecurity.com domain from various data sources (bing, dnsdumpster, threatminer, yahoo).

:bar_chart: Findings:

:thinking: Insights from the Findings: The use of theHarvester has unveiled seven distinct hosts under ‘crushingsecurity.com’, indicating various functionalities like a blog, forum, contact page, development environment, newsletter, and support system. This confirms previous stages of the investigation, and demonstrates an additional efficient way that can be utilised. theHarvester consists of lots of modules and it very quick and effective to utilise in the OSINT journey.

14. Uncovering Data with Google Dorks

Google Dorks harness the power of Google’s advanced search operators to uncover valuable data that’s publicly available but not immediately apparent. Let’s employ this technique to unearth more insights into crushingsecurity.com.

Note: It’s crucial to utilize Google Dorks responsibly and ethically. Misuse could potentially violate privacy or terms of service of websites. For a deeper understanding of Google’s advanced search operators, check out Google’s support page.

:hammer_and_wrench: Setup & Execution No specific setup is required, just a browser.

Here’s an example of a range of Google dork commands that we’ll try:

Attempted finding of potentially sensitive files
These commands aim to discover publicly accessible files that could contain sensitive information, or valuable information to assist our goals.

site:community.crushingsecurity.com filetype:pdf
site:community.crushingsecurity.com filetype:XML
site:community.crushingsecurity.com filetype:csv

Finding an index page revealing further potential targets
This command can reveal directory listings, potentially exposing further targets for investigation.

site:community.crushingsecurity.com intitle:"index of"

Searching for references to password, see if any passwords are exposed
Uncovering references to passwords could indicate security lapses, such as exposed credentials.

site:crushingsecurity.com intext:"password"

Searching for references to steve
This will could return useful information on the user we know is associated with crushing security such as additional social media pages, points of contacts, or even user accounts.

site:crushingsecurity.com intext:"steve"

site:crushingsecurity.com intext:“steve”
Searching for an admin page
Identifying admin pages can provide a glimpse into the backend structure and potential entry points.

site:crushingsecurity.com inurl:"/admin"

:bar_chart: Findings:

We did not get any results from:

site:community.crushingsecurity.com filetype:pdf
site:community.crushingsecurity.com filetype:XML
site:community.crushingsecurity.com filetype:csv
site:community.crushingsecurity.com intitle:"index of"
site:crushingsecurity.com inurl:"/admin"

The following did provide results:
site:crushingsecurity.com intext:"password"

site:crushingsecurity.com intext:"steve"

:thinking: Insights from the Findings:

Most Google Dorks findings did not return much information such as exposed sensitive documents. The returned password matches were just references to the crushing security blogs where password was mentioned. However, a useful finding was when we looked further into the user Steve. We have discovered further user accounts on the crushing security community forum, including what looks to be an admin account ‘steve_admin’ without interacting directory with the target system. This information could certainly be useful for later stages.

15. Shodan

Shodan, often referred to as ‘the search engine for hackers’, is a powerful tool that allows users to discover specific types of computers and appliances connected to the internet using a variety of filters. Unlike traditional search engines, Shodan looks for specific information that can be incredibly valuable for a hacker. This can include details about servers, webcams, routers, and even smart devices, presenting a large security risk if not managed correctly. Let’s utilize Shodan to gather further information on our target, crushingsecurity.com.

We’ll begin by opening Shodan and specifying the IP address 144.21.55.183 we retrieved in Blog 1.

:bar_chart: Findings:

Pivoting to the Domain by simply clicking the Domain CRUSHINGSECURITY.com under the left handside General Information section, I’m able to gather domain information for our target.

:thinking: Insights from the Findings:

The detailed insights from Shodan complement our earlier findings from Blog 1 and current explorations in Blog 2. The open ports (80 and 443) confirm the web service presence, providing avenues for further inspection. The SSL certificate data, including its validity period and issuing authority, offer a glimpse into the site’s security posture. Notably, the last seen date on Shodan is valuable as it presents a recent snapshot of the target’s network configuration. Additionally, the domain records and subdomains provide a structured view of the target’s online presence, aiding in mapping out the broader network infrastructure for subsequent investigations.

Summary of Tools in Deep OSINT and Data Gathering Section

In this section, we delved further into the digital footprint of crushingsecurity.com using tools like Recon-ng, Maltego, and theHarvester.Google Dorks, and Shodan.

:mag: Recon-ng: Revealed valuable insights on LinkedIn and GitHub, showcasing community interactions.

:desktop_computer: Maltego: Provided clear visualizations of domain relationships and web technologies.

:bar_chart: TheHarvester: Unveiled seven distinct hosts, broadening the understanding of the target’s online infrastructure.

:mag_right: Google Dorks: Yielded additional user account information.

:globe_with_meridians: Shodan: Corroborated earlier findings while providing a recent snapshot of the target’s network configuration, including open ports and SSL certificate data. It also provided us with the ‘last seen’ date letting us know this webserver is still active.

These tools significantly enriched our OSINT endeavors, laying a solid groundwork for the upcoming section on Potential Vulnerabilities and Threats.

:no_entry_sign: Potential Vulnerabilities and Threats

:white_check_mark: :globe_with_meridians: Initial Domain Information
:white_check_mark: :wrench: Website and Infrastructure Analysis
:white_check_mark: :link: Subdomains and Related Domains
:white_check_mark: :male_detective: Deep OSINT and Data Gathering
:arrow_right: :no_entry_sign: Potential Vulnerabilities and Threats
:white_large_square: :rotating_light: Monitoring and Alerts

Having navigated through the realms of deep OSINT and data gathering, we now shift our focus towards identifying potential vulnerabilities and threats concerning our target, CrushingSecurity. The extensive passive reconnaissance conducted thus far lays the groundwork for this critical phase.

In this crucial phase, our aim is firmly set on finding vulnerabilities, particularly in the realm of exposed credentials and potential cyber threats, without breaching the perimeter of our target’s digital infrastructure. We navigate through this section with a dual focus:

  • Exposed Credentials: Unveiling whether any associated credentials have been compromised and surfaced in data breaches, potentially offering a foothold for threat actors.
  • Threat Intelligence: Gaining insights into potential threats, malware, and suspicious activities that could bear significance to the security posture of our target, CrushingSecurity.

This section intertwines the data we’ve previously gathered, merging it with fresh insights to present a view of the potential vulnerabilities and threats that might impact the security and operations of our target. Let’s continue our investigation, beginning with the online website haveibeenpwned!

16 Haveibeenpwned

Have I Been Pwned is an invaluable tool in this phase to identify potential vulnerabilities and threats. It aggregates data breaches, allowing users to check if their personal information has been compromised. For CrushingSecurity, we’ll use it to check if any emails associated with the domain were in known data breaches, identifying possible sensitive information exposure.
The use of Have I Been Pwned can also provide great opportunities for preventative measures, such as enforcing password changes for compromised accounts, thereby strengthening the overall security of the system.

  1. Navigate to Have I Been Pwned: Go to Have I Been Pwned.
  2. Email Address Check: Enter any known email addresses associated with CrushingSecurity into the search field to check for compromises.

Note: We have not yet observed an email address from our passive recon. In a real engagement, although not passive, we could potentially create a new email address that doesn’t obviously link back to us, and sign up for the newsletter at newsletter.crushingsecurity.com we observed in our earlier recon.

However, we’re going to skip that in this example and instead use a variety of email formats that organisations commonly use. We will utilise the user ‘Steve’ for this.

Potential formats we will try:

We will also try [email protected] and another name we found was steve_admin so we’ll give [email protected] a shot too.

:bar_chart: Findings:

Results:

:thinking: Insights from the Findings:

All email addresses we attempted did not return to be related to any breaches. Althogh no results, this was a step well worth trying due to how efficient it is and how valuable it can be. We know the domain and website are recently created, and we also know the owner appears to have much strong knowledge in cybersecurity, so no findings here isn’t too much of a surprise.

17. VirusTotal - Analyzing URLs and Files for Potential Threats

VirusTotal is a free online service that analyzes files and URLs to detect viruses, worms, trojans, and other kinds of malicious content. It uses various antivirus engines and website scanners to provide a comprehensive view of the safety and security of a particular file or URL. For crushingsecurity.com, we’ll utilize VirusTotal to evaluate its security stature and observe any potential threats or malicious activities linked to it.

Steps to Utilize VirusTotal:

  1. Navigate to VirusTotal: Go to VirusTotal.
  2. URL Analysis: Submit the URL crushingsecurity.com for analysis.
  3. Review Findings: Analyze the results, paying particular attention to detection results, details, and community comments.
  4. Deep Dive: Explore the ‘Details’ and ‘Relations’ sections to gain insights into the underlying infrastructure and related URLs or files.

:bar_chart: Findings from VirusTotal:


No malicious files detected

  • General Analysis:
    • Final URL: https://crushingsecurity.com/
    • First Submission: 2023-09-29 15:37:43 UTC
    • Last Analysis: 2023-09-29 15:37:43 UTC
    • Serving IP Address: 104.21.23.15
  • HTTP Response:
    • Status Code: 200
    • Server: cloudflare
    • Body Length: 644 B
    • Body SHA-256: 6c2bd807a4d74508fa2f2ac900baee11695908864970c1b9ce4573480d381eea
  • HTML Info:
    • Title: React App
    • Meta Tags:
      • description: Web site created using create-react-app
  • Analysis Result: No security vendors flagged this URL as malicious.
  • Categories: Media sharing (as per Xcitium Verdict Cloud).
  • Community Comments: No community comments were available at the time of analysis.

:thinking: Insights from the Findings:

  • No Immediate Threats: The absence of any security vendor flags suggests that crushingsecurity.com is not currently associated with malicious activities or recognized threats.
  • Modern Web Construction: The meta tag description indicates that the website was created using create-react-app, affirming our earlier findings regarding its technical stack.
  • Robust Security: The utilization of Cloudflare, as indicated by the server response, aligns with our previous observations about the domain’s infrastructure and security emphasis.
  • Potential for Further Investigation: While the immediate results do not indicate malicious activity, the details provided, such as the SHA-256 of the body and serving IP, could be used in further passive investigations to explore related domains, subdomains, or past incidents involving similar data.
  • Community Involvement: The absence of community comments might indicate that there haven’t been notable, community-verified incidents involving this URL. However, it’s valuable to revisit this periodically as the community might post relevant insights in the future.

18. Microsoft Defender Threat Intelligence (TI) - Deep Dive into Domain Analysis

Microsoft Defender Threat Intelligence (TI), a robust analyst workbench, emerged from Microsoft’s acquisition of RiskIQ. This platform aggregates numerous intelligence data sources, facilitating analysis of domains, IPs, and URLs for potential risks, malicious activities, and general web infrastructure insights. Particularly, former users of RiskIQ’s PassiveTotal will find Defender TI familiar, though prior experience is not a prerequisite. In analyzing crushingsecurity.com, we harness Defender TI to probe its internet exposure and garner vital security postures and configuration.

Steps to Utilize Microsoft Defender Threat Intelligence:

  1. Navigate to Microsoft Defender Threat Intelligence: Access the platform and utilize its search functionality.
  2. Domain Analysis: Submit crushingsecurity.com for a comprehensive analysis.
  3. Review Findings: Review the results, concentrating on resolutions, WHOIS records, subdomains, and any other pertinent information provided.
  4. Further Investigation: Leverage obtained data points for more in-depth passive investigations, such as exploring related domains or IPs.

:bar_chart: Findings from Microsoft Defender Threat Intelligence:

:thinking: Insights from the Findings:

  • Cloudflare Usage: Both resolved IPs are associated with Cloudflare, indicating a use of CDN and potential DDoS protection.

  • Privacy Measures: The utilization of privacy services for WHOIS record details and the absence of public certificates or projects indicate a mindful approach towards online presence and data protection.

  • Subdomain Enumeration: The list of subdomains provides additional vectors for passive reconnaissance and potential areas of interest for future investigations. Notably, certain environments, such as the development environment indicated by lhr.dev.community.crushingsecurity.com , pose as potentially fruitful avenues, potentially revealing insights into backend technologies, testing environments, or upcoming features.

  • Reputation & Historical Insights: While specific reputation scores and historical insights are unavailable without a subscription, the offered data can be instrumental for further investigations and to draw a comprehensive picture of the domain.

Summary of Tools in Potential Vulnerabilities and Threats Section

In the “Potential Vulnerabilities and Threats” section, we deployed a selection of tools to analyze the security stance and potential vulnerabilities linked to crushingsecurity.com. The tools utilized were Haveibeenpwned, VirusTotal, and Microsoft Defender Threat Intelligence, each offering unique insights into the potential threats and vulnerabilities related to the domain.

:lock: Haveibeenpwned: This tool enabled us to check for any known breaches involving email addresses associated with the domain. Although no breaches were found, it demonstrated a valuable step in identifying potential vulnerabilities related to known data leaks.

:bug: VirusTotal: By analyzing the URL and the associated content, we were able to confirm that the domain does not appear to currently be associated with any known threats or malicious activities. Additionally, it provided insights into the underlying web technologies and security configurations, such as utilizing Cloudflare for additional security layers.

:shield: Microsoft Defender Threat Intelligence: This platform provided a range of insights, like IP resolutions and WHOIS records, and detailed the subdomains related to crushingsecurity.com. These findings further validated our earlier discoveries and provided a structured base for future passive and active reconnaissance activities.

These tools collectively enhanced our understanding of the potential vulnerabilities and threats related to crushingsecurity.com. By providing a balanced view of the domain’s security posture, they have laid the groundwork for subsequent phases of our investigation, ensuring that our actions are informed, targeted, and we have awareness of any potential threats already existing on the network.

:rotating_light: Monitoring and Alerts

:white_check_mark: :globe_with_meridians: Initial Domain Information
:white_check_mark: :wrench: Website and Infrastructure Analysis
:white_check_mark: :link: Subdomains and Related Domains
:white_check_mark: :male_detective: Deep OSINT and Data Gathering
:white_check_mark: :no_entry_sign: Potential Vulnerabilities and Threats
:arrow_right: :rotating_light: Monitoring and Alerts

Ensuring that a domain is continuously available is crucial not only for maintaining its services but also for detecting potential cyber threats in real-time. We will start off by exploring TweetDeck.

:bird: 19. TweetDeck

TweetDeck is a comprehensive dashboard that allows users to monitor Twitter in real time, which can be a valuable asset in a cybersecurity reconnaissance strategy. While primarily used for managing social media, it can be repurposed as a tool for passive reconnaissance and threat intelligence by tracking mentions of specific keywords, hashtags, or accounts related to your target, industry, or technology.

:hammer_and_wrench: Setting Up TweetDeck

1. Accessing the Tool

  • Navigate to TweetDeck.
  • Sign in with a Twitter account.

2. Creating Columns for Monitoring

  • Add Columns: Use the “Add Column” feature to create various columns that will stream information based on your parameters.
  • Specify Criteria: Choose to monitor tweets from specific accounts, mentions of certain keywords, or hashtags relevant to your target or industry.
  • Filter Content: Apply filters to specify the type of tweets you want to monitor, such as excluding retweets or only showing tweets with images.

3. Managing Columns

  • Reorder: Drag and drop columns to reorder them based on your monitoring priorities.
  • Adjust Settings: Use the settings icon in each column to refine your criteria or adjust filters.
  • Remove: Delete columns that are no longer relevant to ensure your dashboard remains concise and focused.

:newspaper: Methods for monitoring

  • :male_detective: Cybersecurity Discussions: Monitor ongoing discussions or mentions related to cybersecurity threats, vulnerabilities, or incidents.

  • :mag: Company Mentions: Track mentions of your company or target to identify potential threats or public perceptions.

  • :globe_with_meridians: Industry News: Stay informed about the latest news, trends, and updates within your industry.

  • :rotating_light: Crisis Monitoring: Keep tabs on real-time developments during cybersecurity incidents or crises related to your target or sector.

  • :shield: Threat Identification: Identifying threats or negative mentions related to your target or sector.

  • :arrows_counterclockwise: Real-time Awareness: Gaining real-time insights into potential cybersecurity incidents, threats, or vulnerabilities.

  • :link: Link Analysis: Analyzing relationships or affiliations of users mentioning your target or relevant keywords.

  • :earth_americas: Global Perspective: Understanding worldwide perceptions and discussions related to your target, industry, or threats.

Example monitoring for Crushing Security references, and Nginx Vulnerability references

:memo: Summary

TweetDeck, while traditionally used for social media management, offers a unique and real-time monitoring capability suitable for cybersecurity reconnaissance. Through strategic setup and continuous adaptation, it provides real-time insights into discussions, threats, and incidents that could impact your target or industry. The tool thus becomes a valuable asset in the arsenal of a cybersecurity professional, aiding in maintaining a pulse on the ever-evolving digital chatter pertinent to cybersecurity.

:bell: 20. Google Alerts

Leveraging automated alert systems to stay informed about relevant events, mentions, and changes related to the target, industry, and technology.

:hammer_and_wrench: Setting Up Google Alerts

1. Accessing the Tool

2. Creating an Alert

  • Enter Keywords: Insert the terms or phrases you wish to monitor. These could be company names, technologies, or specific threats.
  • Choose Parameters: You can define:
    • How often you receive alerts (e.g., as-it-happens, daily, weekly).
    • Sources to monitor (e.g., news, blogs, web, video).
    • Language and Region of the sources.
    • How many results to receive (e.g., only the best results or all results).
  • Set Alert: Click “Create Alert” to activate it.

3. Managing Alerts

  • Edit: Click on the pencil icon next to an alert to modify its parameters.
  • Delete: Click on the trash bin icon to remove an alert.
  • View: Click on “Show options” to view and adjust the settings of an alert.

:newspaper: Method for Monitoring

  • :mag: Company-Related Information: Keeps tabs on news, product launches, events, and other relevant happenings related to the company.

  • :globe_with_meridians: Technology and Vulnerability Updates: Ensures that we are informed about new vulnerabilities, patches, and updates for technologies relevant to the target.

  • :fire: Competitor Information: Helps in understanding competitor movements and strategic actions.

  • :busts_in_silhouette: Employee Information: Monitors employee movements, announcements, and statements that might give insights into internal changes.

  • :star2: Industry Trends: Provides alerts on emerging technologies, regulatory changes, and other industry-related updates.

  • :rotating_light: Threat Landscape: Aids in understanding the prevailing cyber threats and activities of threat actors that might be relevant to the target.

  • :shield: Threat Anticipation: By monitoring the cyber threats and activities of threat actors, we can anticipate potential threats to the target.

  • :arrows_counterclockwise: Technology Management: Keeping track of technological vulnerabilities and updates enables us to understand the security posture of the target’s technologies.

  • :link: Chain Analysis: Understanding internal changes, like employee movements and product updates, provides insights into possible shifts in the target’s operational landscape.

  • :earth_americas: Environmental Understanding: Keeping abreast of industry trends and regulatory changes allows us to foresee potential challenges or opportunities that might impact the target.

:eyes: Example Alerts

  • Company-Related: “CrushingSecurity” + “New Product”
  • Technology Monitoring: “Apache Server” + “Vulnerability”
  • Competitor Monitoring: “Competitor Name” + “Acquisition”
  • Threat Monitoring: “Ransomware Attack” + “[Industry]”

Example: For “Apache Server” + “Vulnerability”, this alert will keep us informed about new vulnerabilities discovered in Apache Server, enabling us to anticipate potential threats and update our threat model accordingly.

:memo: Summary

Google Alerts becomes an essential component in a comprehensive passive reconnaissance strategy, offering a continuous stream of information related to the target. From staying informed about potential vulnerabilities and threats to understanding internal and external changes related to the target, the tool facilitates an enhanced situational awareness that is pivotal for both red team and blue team activities. With strategic keyword settings and ethical use, it provides a valuable addition to our ongoing monitoring and alerting mechanism.

Part 2 Summary

In this second and concluding segment of our exploration into mastering passive reconnaissance, we’ve navigated through the domain of Open Source Intelligence (OSINT) and explored the realms of potential vulnerabilities and real-time monitoring.

Passive reconnaissance has allowed us to uncover the valuable information and potential vulnerabilities of our target, crushingsecurity.com , all without alerting or interacting with them directly. As we wrap up Part 2 of our exploration, let’s recap the crucial milestones achieved and peek into the future explorations awaiting us in the cybersecurity landscape.

We have completed all our stages:
:white_check_mark: :globe_with_meridians: Initial Domain Information
:white_check_mark: :wrench: Website and Infrastructure Analysis
:white_check_mark: :link: Subdomains and Related Domains
:white_check_mark: :male_detective: Deep OSINT and Data Gathering
:white_check_mark: :no_entry_sign: Potential Vulnerabilities and Threats
:white_check_mark: :rotating_light: Monitoring and Alerts

Here’s a quick recap of our journey in this segment:

:white_check_mark: :male_detective: Deep OSINT and Data Gathering: We embarked on a deeper exploration of open-source intelligence, employing tools like Recon-ng, Maltego, theHarvester, Google Dorks, and Shodan, revealing intricate details such as relationships, hidden data, and insights into community interactions, thereby broadening our understanding of the target’s online infrastructure and digital footprint.

:white_check_mark: :no_entry_sign: Potential Vulnerabilities and Threats: In this section, we analysed Have I Been Pwned for any potential vulnerabilities due to breaches. We then analysd Threat analysis sources such as VirusTotal and Microsoft Defender Threat intelligence. Together this provided a basis for assessing possible threats and exploitable aspects within the target’s digital landscape.

:white_check_mark: :rotating_light: Monitoring and Alerts: We navigated through the aspect of ongoing vigilance using TweetDeck and Google Alerts, ensuring a continuous stream of relevant information and ensuring that we remain alert and informed about events, mentions, and changes pivotal to the target and its digital environment.

What’s Next?

And with that, we wrap up Part 2 of our exploration into the realm of passive reconnaissance. From the initial steps into domain information gathering to maintaining a watchful eye through ongoing monitoring and alerting, we’ve traversed through a spectrum of tools and techniques, each revealing a unique layer of the digital landscape.

The passive reconnaisane information gathered is extremely useful, and we done all of it without interacting with our targets systems.

An example of how we can utilise this information is searching for vulnerabilities with identified software versions, for example, we can search exploitdb, a respected repository of vulnerabilities and exploits, for nginx exploits:

  1. nginx/1.23.3:

We could also explore the National Vulnerability Databases (NVD for potential vulnerabilities related to the observed technologies.

This is just two of many examples. Even when no vulnerabilities are identified, it is crucial to note that staying vigilant and continuously monitoring is paramount. Vulnerabilities can be discovered and reported at any time.

What to Look Forward To:

Thanks for joining on this journey. Now we’ve explored passive reconnaissance, are you ready to dive into active reconnaissance? Or even the later stages such as discovering the secrets of gaining initial access, escalating privileges, and mastering persistence techniques within systems. Keep an eye out for the upcoming series of blogs, where we’ll deep dive through each stage, revealing expert tips and strategies to navigate through them!

To be the first to hear about the next blog:
:bird: Connect on Twitter - CrushingSecurity
:bird: Connect on Twitter - Steve
:newspaper: Stay Updated with Our Cybersecurity Newsletter

Do you have any questions or would like to share your thoughts? Be sure to join and contribute here! :busts_in_silhouette: Join Our Community We’d love to hear from other members of the community and share knowledge to all become cyber pros! :sunglasses:

For a comprehensive list of all the passive reconnaissance tools mentioned in this blog, as well as any future additions, please visit our masterlist: Passive Reconnaissance Tools Masterlist.

:globe_with_meridians: Connect with me:
:bird: Twitter
:newspaper: Stay Updated with Our Cybersecurity Newsletter
:heart: Want to support our mission to spread cybersecurity awareness? Support Our Mission

Also feel free to comment over at community.crushingsecurity.com or my twitter @cybersec_steve1 if you have any questions.