First step - Investigation


Investigation πŸ”Ž, a.k.a. passive recon (reconnaissance) is the first step of the pentester activities.

It involves gathering information about the target from afar πŸ‘“οΈ, meaning with no direct interaction with the target πŸ‘€.

🌱 The goal is to find as much information as possible.

🚿️ You can also infer data, for instance, if a company has many customers, then they may have a support page/customer service.

Common activities:

  • πŸ§‘β€πŸ’» Learn more about the company (roles, services...), the technologies, programming languages and software they use...

  • 🐟 Find a potential attack vector

  • πŸ§‘ Find information about their employees, their emails, their social accounts, their leaked passwords...

  • ...

Tools and methods πŸ—ΊοΈ

  • OSINT gathering πŸ§‘β€πŸ’»πŸ§‘: any publicly available information
  • DNS analysis πŸ§‘β€πŸ’»πŸŸ: domain, domain owner, subdomains...
  • Google dorking πŸ§‘β€πŸ’»πŸŸπŸ§‘: find anything indexed by google
  • Shodan 🐟: find exposed and potentially vulnerable IoT devices
  • Maltego πŸ§‘β€πŸ’» 🐟: find websites, domains, social media accounts...
  • Data leaks πŸ§‘: find leaked data (passwords...)



πŸ‘» To-do πŸ‘»

Stuff that I found, but never read/used yet.

  • cloud-based services and platforms investigation
  • Wireless network reconnaissance