(05-17-2020, 10:28 AM)QueenStrike Wrote: A great thread and very well written. I personally use Maltego I will open a "Case FIle" from there I will map out the different pieces of information I have gathered. I can't tell you how many times google dorking has helped me find say a pdf or a doc file which helped me identify software used by say a target, generally this works well when the target has a large surface exposed. There are also many dual purpose tools, for example we might see VirusTotal for scanning files, but no it can also be used to scan urls/domains which in this case we can get some subdomains as well as possible IP addresses. The real basics of dig, nslookup and whois often are the bread and butter of recon.
Most of the time people don't even expect these things would work. I once talked to a guy who knowingly and irresponsibly had provided its scan report openly on the web. When i told him, what is point behind storing a document on the web that contains the list of port details and other scan reports of your company then he said that its impossible to get these docs as they are not linked to any page and he have searched on shodan and it was not there too :lulw: . Then i thought that why even i am trying to talk to such a guy. I still have the document {probably}, had it fallen into some bad hands the company could have been into ashes. It was terrible .
