Updates identifying-technology-stack.md (e2e3aaa4) · Commits · for microsoft in general / xbox / tunip3 / security

SUMMARY.md

+9 −7

Original line number	Diff line number	Diff line
		@@ -21,15 +21,17 @@
		* [General tips and tricks](general_tips.md)
		* [Recon and Information Gathering Phase](scanning.md)
		* [Passive Information Gatherig](passive_information_gatherig.md)
		* [Email Harvesting](email_harvesting.md)
		* [Users](users.md)
		* [Google Hacking](google_hacking.md)
		* [Active Information Gathering](active_information_gathering.md)
		* [Port Scanning](port_scanning.md)
		* Identify IP-addresses and Subdomains
		* Identify IP-addresses
		* [Find Subdomains](find_subdomains.md)
		* [DNS Basics](dns_basics.md)
		* [Finding subdomains](finding_subdomains.md)
		* [DNS Zone Transfer Attack](dns_zone_transfer_attack.md)
		* [Identifying People](email_harvesting.md)
		* [Search Engine Discovery](google_hacking.md)
		* [Identifying Technology Stack](identifying-technology-stack.md)
		* [Active Information Gathering](active_information_gathering.md)
		* [Port Scanning](port_scanning.md)
		* [Vulnerability analysis](vulnerability_analysi1s.md)
		* [Server-side Vulnerabilities](server-side-vulnerabilities.md)
		* [Common ports\/services and how to use them](list_of_common_ports.md)

email_harvesting.md

+36 −3

Original line number	Diff line number	Diff line
		# Email Harvesting
		# Identifying People

		We want to find as many emails as possible for the target. Once we have gathered all possible emails we want to check if any of them has been compromised before, so that their password might be on the loose.
		We want to find out how is connected to the target. That can be site administrator, employees, owner, mods. Maybe one of the administrators have posted in a forum with their email, or in a newsgroup or somewhere else. Those posts could contain useful data about the stack or help us devlop a network diagram. We might also need to use social engineering.

		In order to find people we might use the following sources:

		* The company website
		* Social media \(LinkedIn, Facebook, Twitter etc\)
		* Forums and newsgroups
		* Metadata from documents

		### Company Website

		This is pretty obvious. Just look around on the website. Or download it. Or spider it with burp and then search the result.

		Make sure to check out the blog. There you might have employees writing blogposts under their name.

		### Social Media

		```
		site:twitter.com companyname
		site:linkedin.com companyname
		site:facebook.com companyname
		```

		### Metadata From Documents

		You find some documents and then run exiftool on them to see if there is any interesting metadata.

		```
		site:example.com filetype:pdf
		```

		## Email Harvesting

		theharvester - I have not had luck with this

		```
		theharvester -d example.com -l 500 -b all
		```

		## Check if emails have been pwned before

		[https://haveibeenpwned.com](https://haveibeenpwned.com)

		https://haveibeenpwned.com
		# Users

		social-searcher.com

		Reddit
		Snoopsnoo

google_hacking.md

+25 −13

Original line number	Diff line number	Diff line
		# Google hacking
		# Search Engine Discovery

		Search engines can be very useful for finding information about the target. Search engines can be used for two things:

		* Finding sensitive information on the domain that you are attacking
		* Finding sensitive information about the company and its employees in on other parts of the internet. Like forums, newsgroups etc.



		Remember that the world is bigger than google. So test out the other search engines.

		Baidu, binsearch.info, Bing, DuckDuckGo, ixquick/Startpage, Shodan,PunkSpider



		Google is a good tool to learn more about a website.

		## Finding specific filetypes


		```
		filetype:pdf
		```
		@@ -35,7 +47,7 @@ Example:
		"I've been * for a heart"
		```

		This will return answers where * is anything.
		This will return answers where \* is anything.

		## Exclude words

		@@ -59,28 +71,28 @@ So if a website has been taken down you can still find the cached version, of th
		cache:website.com
		```

		https://www.blackhat.com/presentations/bh-europe-05/BH_EU_05-Long.pdf

		[https://www.blackhat.com/presentations/bh-europe-05/BH\_EU\_05-Long.pdf](https://www.blackhat.com/presentations/bh-europe-05/BH_EU_05-Long.pdf)

		## Examples

		Find login-pages on sites that use the ending .bo. For bolivia.

		```
		site:bo inurl:admin.php
		```


		## More

		Here are some more

		Great guide for google dorks
		https://www.blackhat.com/presentations/bh-europe-05/BH_EU_05-Long.pdf
		[https://www.blackhat.com/presentations/bh-europe-05/BH\_EU\_05-Long.pdf](https://www.blackhat.com/presentations/bh-europe-05/BH_EU_05-Long.pdf)

		http://www.googleguide.com/advanced_operators_reference.html
		[http://www.googleguide.com/advanced\_operators\_reference.html](http://www.googleguide.com/advanced_operators_reference.html)

		http://www.searchcommands.com/
		[http://www.searchcommands.com/](http://www.searchcommands.com/)

		https://support.google.com/websearch/answer/2466433?hl=en
		[https://support.google.com/websearch/answer/2466433?hl=en](https://support.google.com/websearch/answer/2466433?hl=en)

		https://www.exploit-db.com/google-hacking-database/
		[https://www.exploit-db.com/google-hacking-database/](https://www.exploit-db.com/google-hacking-database/)

identifying-technology-stack.md

0 → 100644

+8 −0

Original line number	Diff line number	Diff line
		## Identifying Technology Stack



		* Job openings