Skip to main content

Passive Information Gathering Cheat Sheet

Passive information gathering, also known as passive reconnaissance, is the process of collecting information about a target without directly interacting with the target's systems. This phase is crucial for ethical hackers as it allows them to build a profile of their target legally and without alerting them.

Search Engines and Web Reconnaissance

  • Technique: Leverage search engines to discover information indexed publicly.
  • Tools/Resources:
    • Google Dorking:
      • site:: Limit search to a specific domain (e.g., site:nytimes.com cybersecurity).
      • filetype:: Search for specific file types (e.g., filetype:pdf site:example.com).
      • inurl:: Find URLs containing specific keywords (e.g., inurl:admin site:example.com).
      • intitle:: Search for specific words in the page title (e.g., intitle:"index of" site:example.com).
      • cache:: View a cached version of a webpage (e.g., cache:example.com).
      • related:: Find websites similar to a given domain (e.g., related:example.com)
      • intext:: This operator searches for specific text within the body of web pages. For example, intext:"sensitive information" site:example.com would look for pages on example.com that contain the phrase "sensitive information."
      • numrange:: This operator can be used to search for numbers within a specific range. For example, vulnerability numrange:2019-2023 might find pages discussing vulnerabilities discovered between 2019 and 2023.
      • Google Dorks Database: Exploit DB's GHDB (https://www.exploit-db.com/google-hacking-database) contains a collection of useful Google Dorks.
        • To find administrative panels: site:example.com inurl:admin
        • To unearth log files with passwords: filetype:log "password" site:example.com
        • To discover backup directories: intitle:"index of" "backup" site:example.com
    • Shodan (https://www.shodan.io/): Search engine for internet-connected devices.
      • hostname:: Find devices on a specific domain.
      • net:: Search within an IP range.
      • city:, country:, geo:: Filter by location.
      • port:: Find devices with a specific port open.
      • os:: Filter by operating system.
      • product:: Search for specific software or devices.
    • Censys (https://search.censys.io/): Similar to Shodan, provides data on internet-connected devices and certificates.
    • Wayback Machine (https://archive.org/web/): View historical snapshots of websites.
  • Technique: Gather information about individuals and organizations from social media platforms.
  • Tools/Resources:
    • LinkedIn:
      • Company profiles, employee information, job postings (reveal technologies used).
      • Use Boolean searches within LinkedIn: (e.g., site:linkedin.com/in "Software Engineer" AND "Acme Corp").
    • X:
      • Search for company mentions, employee tweets, and relevant hashtags.
      • Use X Advanced Search for precise queries.
    • Instagram, GitHub, etc.: Explore other platforms where the target or employees may have a presence.

DNS Reconnaissance

  • Technique: Gather information about the target's DNS infrastructure.
  • Tools/Resources:
    • nslookup: Basic DNS lookup utility.
    • dig: More advanced DNS query tool.
    • host: Another DNS lookup utility.
    • DNSDumpster (https://dnsdumpster.com/): Free online tool for DNS recon.
    • Sublist3r (https://github.com/aboul3la/Sublist3r): Subdomain enumeration tool.
    • Amass (https://github.com/OWASP/Amass): Comprehensive network mapping and asset discovery tool.
    • whois: Query WHOIS databases for domain registration information. Use it on the command line or via web interfaces. Be aware of GDPR restrictions, which may limit the amount of data shown in WHOIS results for individuals.

Other Passive Recon Techniques

  • Job Boards: Analyze job postings to identify technologies used by the target.
  • Technical Forums and Communities: Search for posts by employees or discussions related to the target's products or services.
  • Paste Sites (Pastebin, Ghostbin): Look for leaked code, credentials, or configuration files. Use automated tools or scripts to monitor these sites for relevant keywords.
  • Dark Web Monitoring (with caution): Use specialized search engines (e.g., Tor, I2P) to check if the target's data has been compromised and is being traded on the dark web. Be aware of the legal and ethical implications of accessing dark web content.
  • Virtual Hosts (Vhosts):
    • Understanding that multiple websites can reside on a single server.
    • Techniques:
      • Checking for common host headers in HTTP requests.
      • Using tools that brute-force common hostnames.

Other Tools

  • The Harvester: Gathers emails, subdomains, hosts, employee names, open ports, and banners from various public sources.
    • Commands: theharvester -d example.com -l 500 -b all
  • Maltego: Graphical link analysis tool that can visualize relationships between different pieces of information (domains, IPs, emails, people). Requires setting up transforms.
  • Recon-ng: Modular reconnaissance framework. Offers various modules for different information gathering tasks.
    • Workspace Management: workspaces create <workspace_name>, workspaces select <workspace_name>
    • Module Loading: marketplace install <module_name>, modules load <module_name>
    • Data Acquisition: Using modules like hackertarget, shodan, bing_domain_web.
  • GitLeaks: Scans public GitHub repositories for sensitive information like API keys, passwords, and credentials.
    • Usage: gitleaks -repo https://github.com/user/repo
  • Website Fingerprinting: Wappalyzer, BuiltWith, whatweb.