Recon Methods Part 2 – OSINT Host Discovery Continued

In part 1, we discussed how to start with a target’s name and research a company’s history through Wikipedia, gain information about external hosts with DNSDumpster, and continue host discovery with Hurricane Electric’s BGP Toolkit. We will continue our recon by searching Shodan, using SSL certificate search engines, SpyOnWeb, Archive.org, and viewing job listings. As an example, we will take a look at a company that recently restructured. Although this information is publicly available, we have chosen to redact the name of the company and identifiable information from the results.

Links to posts in this series:

Recon Methods Part 1 – OSINT Host Discovery

Recon Methods Part 3 – OSINT Employee Discovery

Recon Methods Part 4 – Automated OSINT

Recon Methods Part 5 – Traffic on the Target

Shodan

We’ll continue our recon with the Shodan. Shodan is a search engine for devices on the internet. When a device is found, they record details about the available services, headers returned during interactions, and geolocation of the physical host. We can use this information when profiling the attack surface of our target. Shodan offers a web interface and a command line tool. The web interface offers a concise rundown of the available services and recorded headers/SSL session information while interacting with the host, ASN and ISP information for the IP address, and the geolocation of the IP address.

Shodan also offers a command line interface (CLI). The Shodan CLI is easier to use when needing to perform searches against a target with large numbers of hosts/IP addresses. While the web interface will have the same results, we would have to go through each result one by one. The Shodan CLI can return all of the results in JSON format for further parsing.

SSL Certificate Search

Another host discovery method we use are SSL certificate
search engines such as crt.sh and Censys. Both search engines provide results based
on SSL certificates observed while scanning the internet. We use the domains
shown in the results from both to help find additional hosts. Censys also
offers API access which can be used programmatically to pull results. An example
of crt.sh and Censys results can be seen below.

SpyOnWeb

SpyOnWeb is a great tool for finding alternate domains for
an IP address or URL. SpyOnWeb accepts IP addresses or URLs and returns
information about what is hosted. An example can be seen below after searching
for payless.com. The application found another domain hosted on the same IP
address which can be researched for additional attack surface.

Archive.org

Archive.org, also known
as the WayBack Machine, is constantly archiving websites and making them searchable.
Once we find a backup of a website, we use the tool Wayback Machine
Downloader to pull an offline copy. We can then browse the site without
generating traffic on the target’s host. If the backup is recent enough, we can
also use the backup during social engineering attacks by hosting the files on a
server we control and coercing the target’s employees into interacting with the
fake site.

Job Listings

A good way to find which software and security suites a company employs is to search through job postings. We look for keywords such as ‘IT’, ‘helpdesk’, ‘cybersecurity analyst’, ‘developer’, or ‘programmer’. Job postings often contain software suites, frameworks, and security platforms as requirements for the applicants. Using this information, we often know what kinds of hurdles we’ll have to overcome before we ever send the first packet or phishing email to the target. We usually search Google, Glassdoor, Indeed, Monster, and Zip Recruiter for the job postings. 

Conclusion

Using the methods outlined here, we have continued gathering actionable information on our target without ever interacting with their external hosts. We’ve gained insight into additional domains and IP addresses belonging to the target, reachable services on each of the hosts, interacted with the target’s web presence offline, and potentially found information about the infrastructure in use through job postings. In the next part, we’ll start tracking down employee email addresses through LinkedIn, Hunter.io, and public breach data.