Information Gathering (Reconnaissance)

Passive Recon

Physical Engagement/Social Engineering:

Location Information:
- Satellite images
- Drone recon
- Building layout (badge readers, break areas, security, fencing)
Job Information:
- Employees (name, job title, phone number, manager, etc.)
- Pictures (badge photos, desk photos, computer photos, etc.)

Web/Host:

Target Validation: WHOIS, nslookup, dnsrecon
Finding Subdomains: Google FU, dig, Nmap, Sublist3r, Bluto, crt.sh
Fingerpriting: Nmap, Wappalyzer, WhatWeb, BuiltWith, Netcat
Data Breaches: HaveIBeenPwned, Breach-Parse, WeLeakInfo

Identifying The Target

Use Bugcrowd (a public Bug Bounty Program) to identify the target T-Mobile.

Read the program details carefully and ensure that your testing activities comply with the authorized targets and rules outlined.

Discovering Email Addresses

Hunter.io - find and verify professional email addresses

Phonebook.cz - lists all domains, email addresses, or URLs for the given input domain.

Voila Norbert - great for getting the email addresses you need.

Clearbit - free, verified B2B emails (it has to be used on Chrome).

Email Hippo - free online email verification tool.

Gathering Breached Credentials with Breach-Parse

breach-parse - a tool for parsing breached passwords

breach-parse @t-mobile.com t-mobile.txt "~/Downloads/BreachCompilation/data"

The obtained results can be leveraged for Credential Stuffing and Password Spraying.

Hunting Breached Credentials with DeHashed

DeHashed - Have you been compromised? DeHashed provides free deep-web scans and protection against credential leaks.

Hashes.org is down, therefore, use Hashes.com or other tools to decrypt the hashed passwords.

Hunting Subdomains

Sublist3r - Finding Subdomains

Synchronize the local package database with repository sources:

sudo apt update

Install Sublist3r tool:

sudo apt install sublist3r

Run Sublist3r:

sublist3r -d t-mobile.com

This enumerates subdomains of T-Mobile.com using various search engines.

crt.sh - to look for registered certificates

OWASP Amass - In-depth attack surface mapping and asset discovery

Install the GCC-based compiler for the Go programming language:

sudo apt install gccgo-go

Install the official Go programming language compiler and tools developed by Google:

sudo apt install golang-go

Install OWASP Amass:

go install -v github.com/owasp-amass/amass/v4/...@master

Run OWASP Amass:

Enumerate subdomains of T-Mobile.com:

httprobe - Take a list of domains and probe for working HTTP and HTTPS servers

Install httprobe:

sudo apt install httprobe

Run httprobe with domains.txt:

cat ~/Desktop/domains.txt | httprobe

This will narrow the list to the active subdomains.

Identifying Website Technologies

BuiltWith - Web technology information profiler tool. Find out what a website is built with.

This will display a detailed list of technologies T-mobile.com is built with:

Analytics and Tracking
Widgets
Language
Frameworks
Mapping
Content Delivery Network
Mobile
Payment
Audio / Video Media
Content Management System
JavaScript Libraries and Functions
Verified Link
Advertising
SSL Certificates
Name Server
Email Hosting Providers
Web Hosting Providers
Web Servers
Operating Systems and Servers
Verified CDN
Robots.txt
Web Master Registration
Content Delivery Network

Preview of Analytics and Tracking:

Wappalyzer - Identify technologies on websites

WhatWeb - Next generation web scanner version

whatweb t-mobile.com
whatweb tmobile.com

Information Gathering with Burp Suite

Burp Suite - The class-leading vulnerability scanning, penetration testing, and web app security platform. Burp Suite's main feature is the Proxy. The Proxy enables Burp to act as an intermediary between the client (web browser) and the server hosting the web application.

Set up Firefox for using Burp Suite:

Access https://burp and download the CA Certificate:

Import the CA Certificate:

Access T-Mobile.com through Firefox:

Here we can find very useful information.

Google Fu

Google-Fu (uncountable) (informal) A skill in using search engines (especially Google) to quickly find useful information on the Internet.

Google Search Operators (Dorks) - The Complete List (44 Advanced Operators)

Example:

site:t-mobile.com -www filetype:pdf

site:t-mobile.com: Restricts search to t-mobile.com and its subdomains
-www: Excludes results from www.t-mobile.com
filetype:pdf: Returns only PDF files

Social media platforms like LinkedIn, Twitter (X), Facebook, Instagram, etc. are valuable resources for conducting Open-Source Intelligence (OSINT) gathering through publicly available information.