This is where we use non-computer based means to gather information on a target, and is primarily physical or social: location information such as satellite images, drone fly-bys, the building layout, and also any job or employee information that can be found, such as details on their badges.
The most important phase of a pentest is the recon phase; the more information and coverage we can build on a target, the more surface area we have for attack, the more vectors of exploitation we can leverage.
In order to achieve this we can carry out some or all of the following investigations on Web and Hosts:
Hunter.io is an online tool that will allow us to discover email addresses related to specific domains.
For example, tryhackme.com
Useful tool to search information about particular domains.
Features include:
This can be a useful tool for gathering email addresses, names and departments of targets for social engineering attempts, and a few other bits and pieces.
A good tactic can be to combine this with other social media soft searches, such as employee lists for organisations on LinkedIn. Using the basic structure of email addresses found on Hunter.IO combined with LinkedIn employee names, we can grokk quite a few extra users!
There are many tools out there for gathering data on a targets subdomains, and they all operate a little differently. The following notes page has further details on several of these tools including searching certificate information with crt.sh and command line interface tool Sublist3r for those of us who prefer to work from our terminals.
Web Information Gathering - Hunting Subdomains