CyberSecC@ptBlackb3ard
  • 🦜Welcome
  • Cyber Security
    • Offensive Security
      • Penetration Testing Methodology
      • Pre-Engagement Interaction
      • Reconnaissance (Information Gathering)
        • Open-Source Intelligence (OSINT)
      • Scanning and Enumeration
        • Domain Enumeration
        • Network Enumeration
          • Network Mapper (nmap)
          • Port/Protocol & Service Enumeration & Attack
            • File Transfer Protocol (FTP): 20, 21
              • Trivial File Transfer Protocol (TFTP): 69
              • FTP over SSL/TLS (FTPS): 989, 990
            • Secure Shell (SSH): 22
            • Telnet: 23
            • Simple Mail Transfer Protocol (SMTP): 25
              • SMTP Secure (SMTPS): 587
            • Domain Name System (DNS):53
            • Dynamic Host Configuration Protocol (DHCP): 67, 68
            • Hyper Text Transfer Protocol (HTTP): 80
              • HTTP over SSL/TLS (HTTPS): 443
            • Kerberos: 88
            • Post Office Protocol version 3 (POP3): 110
            • Network Time Protocol (NTP): 123
            • Remote Procedure Call (RPC): 135
            • NetBIOS: 137, 138, 139
            • Internet Message Access Protocol (IMAP): 143
            • IMAP over SSL/TLS: 933
            • Internet Relay Chat (IRC): 194
            • Light Weight Directory Access Protocol (LDAP): 389
              • LDAP over SSL/TLS (LDAPS): 636
            • Server Message Block (SMB): 445
              • Hostname
              • Shared Folders
            • Network File System (NFS): 2049
            • Microsoft SQL Server: 1433
            • MySQL Server: 3306
            • PostgreSQL Server: 5432
            • Remote Desktop Protocol (RDP): 3389
            • Border Gateway Protocol (BGP): 179
            • Remote Authentication Dial-In User Service (RADIUS): 1812, 1813
        • Web Enumeration
      • Security Assessment Report Writing
      • Tools
        • Cryptography & Encoding
          • Password Recovery
        • Network Tools
  • Networking
    • OSI and TCP/IP Model
      • Common Network Ports & Protocols
  • Cloud
    • Cloud Computing
  • General
    • Cyber Security Theory
      • Information Security
      • Cybersecurity Resilience
      • Cybersecurity Posture
    • Terms and Acronyms
    • Database Cheat Sheets
Powered by GitBook
On this page
  • External Penetration Test
  • Methodology
  • Tools and Resources
  1. Cyber Security
  2. Offensive Security

Reconnaissance (Information Gathering)

PreviousPre-Engagement InteractionNextOpen-Source Intelligence (OSINT)

Last updated 5 months ago

More time and effort is required for an external versus an internal penetration test. For the latter, we have already gained access to the internal network. Thus, the most helpful information we may gather externally is the list of staff, exposed data breaches, and a list of internal they may be using.

This is mainly passive reconnaissance () using publicly available information (without interacting with them), including target websites and news articles, social media pages, search engines, public records, breach data, etc.

External Penetration Test

Methodology

After completing the

Tools and Resources

  • Search Engines (Google, , , , , , )

  • IP/Domain Lookups:

    • (North America), (Africa), (Asia), (Latin America), (Europe).

  • Internet Archives ()

  • Source Code Platforms (, , )

  • Website Profiles (, )

  • Data Breaches (, )

OSINT
Shodan
Censys
VirusTotal
IntelX
PhoneBook
Security Trails
ARIN
AFRINIC
APNIC
LACNIC
RIPE NCC
Whois Lookups
DNSDumpster
Wayback Machine
GitHub
Bitbucket
Pastebin
BuiltWith
Wapplyzer
Dehashed
Have I been Pwned