Information Gathering (Reconnaissance)
Last updated
Was this helpful?
Last updated
Was this helpful?
Physical Engagement/Social Engineering:
Location Information:
Satellite images
Drone recon
Building layout (badge readers, break areas, security, fencing)
Job Information:
Employees (name, job title, phone number, manager, etc.)
Pictures (badge photos, desk photos, computer photos, etc.)
Web/Host:
Target Validation: , ,
Finding Subdomains: , , , , ,
Fingerpriting: , , , ,
Data Breaches: , ,
Read the program details carefully and ensure that your testing activities comply with the authorized targets and rules outlined.
The obtained results can be leveraged for Credential Stuffing and Password Spraying.
Synchronize the local package database with repository sources:
Install Sublist3r tool:
Run Sublist3r:
This enumerates subdomains of T-Mobile.com using various search engines.
Install the GCC-based compiler for the Go programming language:
Install the official Go programming language compiler and tools developed by Google:
Install OWASP Amass:
Run OWASP Amass:
Enumerate subdomains of T-Mobile.com:
Install httprobe:
Run httprobe with domains.txt:
This will narrow the list to the active subdomains.
This will display a detailed list of technologies T-mobile.com is built with:
Analytics and Tracking
Widgets
Language
Frameworks
Mapping
Content Delivery Network
Mobile
Payment
Audio / Video Media
Content Management System
JavaScript Libraries and Functions
Verified Link
Advertising
SSL Certificates
Name Server
Email Hosting Providers
Web Hosting Providers
Web Servers
Operating Systems and Servers
Verified CDN
Robots.txt
Web Master Registration
Content Delivery Network
Preview of Analytics and Tracking:
Set up Firefox for using Burp Suite:
Access https://burp and download the CA Certificate:
Import the CA Certificate:
Access T-Mobile.com through Firefox:
Here we can find very useful information.
Google-Fu (uncountable) (informal) A skill in using search engines (especially Google) to quickly find useful information on the Internet.
Example:
site:t-mobile.com: Restricts search to t-mobile.com and its subdomains
-www: Excludes results from www.t-mobile.com
filetype:pdf: Returns only PDF files
Use (a public Bug Bounty Program) to identify the target T-Mobile.
- find and verify professional email addresses
- lists all domains, email addresses, or URLs for the given input domain.
- great for getting the email addresses you need.
- free, verified B2B emails (it has to be used on Chrome).
- free online email verification tool.
- a tool for parsing breached passwords
- Have you been compromised? DeHashed provides free deep-web scans and protection against credential leaks.
Hashes.org is down, therefore, use or other tools to decrypt the hashed passwords.
- Finding Subdomains
- to look for registered certificates
- In-depth attack surface mapping and asset discovery
- Take a list of domains and probe for working HTTP and HTTPS servers
- Web technology information profiler tool. Find out what a website is built with.
- Identify technologies on websites
- Next generation web scanner version
- The class-leading vulnerability scanning, penetration testing, and web app security platform. Burp Suite's main feature is the Proxy. The Proxy enables Burp to act as an intermediary between the client (web browser) and the server hosting the web application.
- The Complete List (44 Advanced Operators)
Social media platforms like , , , , etc. are valuable resources for conducting Open-Source Intelligence (OSINT) gathering through publicly available information.
On a separate page:
