Read the program details carefully and ensure that your testing activities comply with the authorized targets and rules outlined.
## Discovering Email Addresses
[Hunter.io](https://hunter.io) - find and verify professional email addresses
[Phonebook.cz](https://phonebook.cz) - lists all domains, email addresses, or URLs for the given input domain.
[Voila Norbert](https://www.voilanorbert.com) - great for getting the email addresses you need.
[Clearbit](https://clearbit.com) - free, verified B2B emails (it has to be used on Chrome).
[Email Hippo](https://tools.emailhippo.com) - free online email verification tool.
## Gathering Breached Credentials with Breach-Parse
[breach-parse](https://github.com/hmaverickadams/breach-parse) - a tool for parsing breached passwords
```sh
breach-parse @t-mobile.com t-mobile.txt "~/Downloads/BreachCompilation/data"
```
The obtained results can be leveraged for Credential Stuffing and Password Spraying.
## Hunting Breached Credentials with DeHashed
[DeHashed](https://dehashed.com) - Have you been compromised? DeHashed provides free deep-web scans and protection against credential leaks.
Hashes.org is down, therefore, use [Hashes.com](https://hashes.com/en/decrypt/hash) or other tools to decrypt the hashed passwords.
## Hunting Subdomains
[Sublist3r](https://www.kali.org/tools/sublist3r) - Finding Subdomains
1. Synchronize the local package database with repository sources:
```sh
sudo apt update
```
2. Install Sublist3r tool:
```sh
sudo apt install sublist3r
```
3. Run Sublist3r:
```sh
sublist3r -d t-mobile.com
```
This enumerates subdomains of T-Mobile.com using various search engines.
[crt.sh](https://crt.sh) - to look for registered certificates
[OWASP Amass](https://github.com/owasp-amass/amass) - In-depth attack surface mapping and asset discovery
1. Install the GCC-based compiler for the `Go` programming language:
```sh
sudo apt install gccgo-go
```
2. Install the official `Go` programming language compiler and tools developed by Google:
```sh
sudo apt install golang-go
```
3. Install OWASP Amass:
```sh
go install -v github.com/owasp-amass/amass/v4/...@master
```
4. Run OWASP Amass:
5. Enumerate subdomains of T-Mobile.com:
[httprobe](https://github.com/tomnomnom/httprobe) - Take a list of domains and probe for working HTTP and HTTPS servers
1. Install httprobe:
```bash
sudo apt install httprobe
```
2. Run httprobe with domains.txt:
```bash
cat ~/Desktop/domains.txt | httprobe
```
This will narrow the list to the active subdomains.
## Identifying Website Technologies
[BuiltWith](https://builtwith.com) - Web technology information profiler tool. Find out what a website is built with.
This will display a detailed list of technologies T-mobile.com is built with:
* Analytics and Tracking
* Widgets
* Language
* Frameworks
* Mapping
* Content Delivery Network
* Mobile
* Payment
* Audio / Video Media
* Content Management System
* JavaScript Libraries and Functions
* Verified Link
* Advertising
* SSL Certificates
* Name Server
* Email Hosting Providers
* Web Hosting Providers
* Web Servers
* Operating Systems and Servers
* Verified CDN
* Robots.txt
* Web Master Registration
* Content Delivery Network
Preview of Analytics and Tracking:
[Wappalyzer](https://www.wappalyzer.com) - Identify technologies on websites
[WhatWeb](https://www.kali.org/tools/whatweb) - Next generation web scanner version
```bash
whatweb t-mobile.com
whatweb tmobile.com
```
## Information Gathering with Burp Suite
[Burp Suite](https://portswigger.net/burp) - The class-leading vulnerability scanning, penetration testing, and web app security platform. Burp Suite's main feature is the Proxy. The Proxy enables Burp to act as an intermediary between the client (web browser) and the server hosting the web application.
1. Set up Firefox for using Burp Suite:
2. Access `https://burp` and download the `CA Certificate`:
3. Import the `CA Certificate`:
4. Access `T-Mobile.com` through Firefox:
Here we can find very useful information.
## Google Fu
Google-Fu (uncountable) (informal) A skill in using search engines (especially Google) to quickly find useful information on the Internet.
[Google Search Operators (Dorks)](https://ahrefs.com/blog/google-advanced-search-operators) - The Complete List (44 Advanced Operators)
Example:
```
site:t-mobile.com -www filetype:pdf
```
* `site:t-mobile.com`: Restricts search to t-mobile.com and its subdomains
* `-www`: Excludes results from [www.t-mobile.com](http://www.t-mobile.com)
* `filetype:pdf`: Returns only PDF files
## Utilizing Social Media
Social media platforms like [LinkedIn](https://www.linkedin.com), [Twitter (X)](https://x.com), [Facebook](https://www.facebook.com), [Instagram](https://www.instagram.com), etc. are valuable resources for conducting Open-Source Intelligence (OSINT) gathering through publicly available information.
## Additional Learning, Open-Source Intelligence (OSINT)
On a separate page: [Open-Source Intelligence (OSINT)](https://blog.othmanemoutaouakkil.com/write-ups/tcm-security/open-source-intelligence-osint)
---
# Agent Instructions: Querying This Documentation
If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.
Perform an HTTP GET request on the current page URL with the `ask` query parameter:
```
GET https://blog.othmanemoutaouakkil.com/write-ups/tcm-security/practical-ethical-hacking/information-gathering-reconnaissance.md?ask=
```
The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.
Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.
