search
LinkedInGitHub

Information Gathering (Reconnaissance)

hashtag
Passive Recon

Physical Engagement/Social Engineering:

  • Location Information:

    • Satellite images

    • Drone recon

    • Building layout (badge readers, break areas, security, fencing)

  • Job Information:

    • Employees (name, job title, phone number, manager, etc.)

    • Pictures (badge photos, desk photos, computer photos, etc.)

Web/Host:

hashtag
Identifying The Target

Use Bugcrowdarrow-up-right (a public Bug Bounty Program) to identify the target T-Mobile.

T-Mobile
https://bugcrowd.com/engagements/t-mobilearrow-up-right

Read the program details carefully and ensure that your testing activities comply with the authorized targets and rules outlined.

hashtag
Discovering Email Addresses

Hunter.ioarrow-up-right - find and verify professional email addresses

T-Mobile email addresses found using Hunter.io
https://hunter.io/try/search/t-mobile.com?locale=enarrow-up-right

Phonebook.czarrow-up-right - lists all domains, email addresses, or URLs for the given input domain.

Voila Norbertarrow-up-right - great for getting the email addresses you need.

Clearbitarrow-up-right - free, verified B2B emails (it has to be used on Chrome).

Email Hippoarrow-up-right - free online email verification tool.

hashtag
Gathering Breached Credentials with Breach-Parse

breach-parsearrow-up-right - a tool for parsing breached passwords

The obtained results can be leveraged for Credential Stuffing and Password Spraying.

hashtag
Hunting Breached Credentials with DeHashed

DeHashedarrow-up-right - Have you been compromised? DeHashed provides free deep-web scans and protection against credential leaks.

https://dehashed.comarrow-up-right

Hashes.org is down, therefore, use Hashes.comarrow-up-right or other tools to decrypt the hashed passwords.

hashtag
Hunting Subdomains

Sublist3rarrow-up-right - Finding Subdomains

  1. Synchronize the local package database with repository sources:

  1. Install Sublist3r tool:

  1. Run Sublist3r:

sublist3r -d t-mobile.com

This enumerates subdomains of T-Mobile.com using various search engines.

crt.sharrow-up-right - to look for registered certificates

crt.sh
Certificates

OWASP Amassarrow-up-right - In-depth attack surface mapping and asset discovery

  1. Install the GCC-based compiler for the Go programming language:

  1. Install the official Go programming language compiler and tools developed by Google:

  1. Install OWASP Amass:

  1. Run OWASP Amass:

OWASP amass

  1. Enumerate subdomains of T-Mobile.com:

Enumerate subdomains of T-Mobile.com

httprobearrow-up-right - Take a list of domains and probe for working HTTP and HTTPS servers

  1. Install httprobe:

  1. Run httprobe with domains.txt:

cat ~/Desktop/domains.txt | httprobe

This will narrow the list to the active subdomains.

hashtag
Identifying Website Technologies

BuiltWitharrow-up-right - Web technology information profiler tool. Find out what a website is built with.

https://builtwith.comarrow-up-right

This will display a detailed list of technologies T-mobile.com is built with:

  • Analytics and Tracking

  • Widgets

  • Language

  • Frameworks

  • Mapping

  • Content Delivery Network

  • Mobile

  • Payment

  • Audio / Video Media

  • Content Management System

  • JavaScript Libraries and Functions

  • Verified Link

  • Advertising

  • SSL Certificates

  • Name Server

  • Email Hosting Providers

  • Web Hosting Providers

  • Web Servers

  • Operating Systems and Servers

  • Verified CDN

  • Robots.txt

  • Web Master Registration

  • Content Delivery Network

Preview of Analytics and Tracking:

https://builtwith.com/t-mobile.comarrow-up-right

Wappalyzerarrow-up-right - Identify technologies on websites

Wappalyzer - T-Mobile.com

WhatWebarrow-up-right - Next generation web scanner version

whatweb t-mobile.com && whatweb tmobile.com

hashtag
Information Gathering with Burp Suite

Burp Suitearrow-up-right - The class-leading vulnerability scanning, penetration testing, and web app security platform. Burp Suite's main feature is the Proxy. The Proxy enables Burp to act as an intermediary between the client (web browser) and the server hosting the web application.

  1. Set up Firefox for using Burp Suite:

Set up Firefox for using Burp Suite

  1. Access https://burp and download the CA Certificate:

Access https://burp and download the CA Certificate

  1. Import the CA Certificate:

Import the CA Certificate

  1. Access T-Mobile.com through Firefox:

Access T-Mobile.com through Firefox

Here we can find very useful information.

hashtag
Google Fu

Google-Fu (uncountable) (informal) A skill in using search engines (especially Google) to quickly find useful information on the Internet.

Google Search Operators (Dorks)arrow-up-right - The Complete List (44 Advanced Operators)

Example:

  • site:t-mobile.com: Restricts search to t-mobile.com and its subdomains

  • -www: Excludes results from www.t-mobile.com

  • filetype:pdf: Returns only PDF files

hashtag
Utilizing Social Media

Social media platforms like LinkedInarrow-up-right, Twitter (X)arrow-up-right, Facebookarrow-up-right, Instagramarrow-up-right, etc. are valuable resources for conducting Open-Source Intelligence (OSINT) gathering through publicly available information.

hashtag
Additional Learning, Open-Source Intelligence (OSINT)

On a separate page: Open-Source Intelligence (OSINT)

PreviousThe Ethical Hacker MethodologyNextScanning & Enumeration

Last updated