Information Gathering

Next, we move towards the Information Gathering stage. Before any target systems can be examined and attacked, we must first identify them. It may well be that the customer will not give us any information about their network and components other than a domain name or just a listing of in-scope IP addresses/network ranges. Therefore, we need to get an overview of the target web application(s) or network before proceeding further.

Reconnaissance can be passive or active. Check out this article that explains this difference very well

Location Information: Satellite images, Drone recon, Building layout
Job information: Employees, Pictures

Web / Host

Source: Practical Ethical Hacking - TCM Security

Identifying our target

In the case of bug hunting we will have a document with detailed information on what is in scope and what is out of scope. We have to take very good notes of these to be sure to not make any mistakes. In the case of a pentest it will be defined in the document called Rules of Engagement

Discovering email address

Check this article about Email OSINT

Gathering breached credentials

Check this article about Password OSINT

Web information Gathering

Check this article about Website OSINT and this one aboutTools for website OSINT

Using search engines

Check out this article about Search Engines

Check out this article about Social Media OSINT

Tools

Lots of tools are available for the OSINT / Recon part, check this article about this here

PreviousIntroduction NextScanning & Enumeration

Last updated 2 years ago

hashtagPhysical / Social

hashtagWeb / Host

hashtagIdentifying our target

hashtagDiscovering email address

hashtagGathering breached credentials

hashtagWeb information Gathering

hashtagUsing search engines

hashtagUsing Social Media

hashtagTools

Physical / Social