Pen Test Lab - 2.Passive Information Gathering - NETSEC


Learning, Sharing, Creating

Cybersecurity Memo

Saturday, May 15, 2021

Pen Test Lab - 2.Passive Information Gathering

An information gathering endeavor is the pen tester locates publicly available information related to the target and seeks ways that could be exploited to get into the systems.

There are two types information gathering methods
  • Passive information gathering refers to gathering as much information as possible without establishing contact between the pen tester (yourself) and the target about which you are collecting information. 
  • Active information gathering involves contact between the pen tester and the actual target. When you actively query systems to gain the information you are moving to a dark legal situation as most countries prohibit attempts to break into systems without the necessary permission.


Information to be collected

Here are some typical information a pen tester would like to collect
  • IP Addresses
  • Company Address
  • Email Addresses
  • Domain Information
  • Phone
  • Staff
  • Opened Ports on targets
  • Applications running on targets
  • OS
  • Other Sensitive Information



Shodan is a search engine that lets the user find specific types of devices (webcams, routers, servers, etc.) connected to the internet using a variety of filters. Shodan currently returns 10 results to users without an account and 50 to those with one.

Shodan has several powerful yet easy to use filters which prove handy during VA/PT exercises. The usage of filters is usually of the form filter:value.Some of the most common basic filters that you can use in Shodan are as follows. 

  • city: find devices in a particular city.
  • country: find devices in a particular country.
  • geo: search for specific GPS coordinates. geo:"31.8639, 117.2808"
  • hostname: find values that match the hostname.
  • product: search the name of the software or product identified in the banner.
  • os: search based on operating system.
  • port: find particular ports that are open.
  • before/after: find results within a timeframe.
  • org: search specific organization or company. org:"google"
  • isp" search specific ISP. isp:"rogers"
  • version:"13.1.6"

1. Country: The country filter allows users to search for computers running services in a particular country. The country code is specified as a two-letter word.
Usage: cisco country: IN (searches for Cisco devices in the particular country. In this case, it’s India).

2. Host name: This useful option in Shodan lets you find a particular service or the service running in specified hosts or domains.
Usage: "Server:IIS" host name: domain name
Host name: domain name

3. Net: This filter is used to scan a particular IP address or subnet range. The service name can also be added along with the IP address or subnet.
Usage: For scanning an IP address: net: IP)
For scanning a subnet: net:

4. Port: This filter allows you to scan a particular service. For instance, FTP (21), HTTP (80).
Usage: Service port number
Example: IIS port: 80

5. Operating system (OS): This Shodan filter helps you to identify a service with a required OS. You can use it to find the service running on the particular OS.
Usage: Service: OS: OS name
Example: IIS “OS: OSName”

6. After/before: This option helps or returns the query, changed or unchanged before.
Example: apache after: 22/03/2010 before: 4/6/2010
Example: apache country: CH after:22/03/2010 before: 4/6/2010


From Kali terminal :




search operators and tips:
"" : exact phrase . "Penetration Testing"
- : excluded words. "Web Cam" -Cisco
~ : Similar Words. ~mobile phone. Search the results with the word "phone", as well as "cell ", "cellular ", "wireless ", etc.
define: find meanings. define:cybersecurity. Search the links to definitions of the word "cybersecurity"
site: Limit results to those from a specific website. 
link: linked page. searches for webpages that link to a particular website
inurl: displays all pages and sub-pages that contain the search term in the URL.  inurl:asp?id= , inurl:php?id=
intext: Find pages containing a certain word (or words) somewhere in the content.
filetype: Restrict results to those of a certain filetype. E.g., PDF, DOCX, TXT, PPT, etc. The “ext:” operator can also be used—the results are identical.
intitle: Find pages with a certain word (or words) in the title
cache: Returns the most recent cached version of a web page intitle:admin|user|password|account|login|system|manage inurl:file inurl:upload filetype:asp OR filetype:php OR filetype:jsp OR filetype:aspx

inurl:upload filetype:php OR filetype:asp OR filetype:jsp inurl:robots.txt inurl:txt

kali filetype:torrent

intext:user.sql intitle:index.of


SubDomain Scanning

Using Maltego from Kali

Using following Online Websites to Search subdomains or other related information:
  5. Google search:
  8. Certs :,
  9. Other methods:,
  10. Other tools helps to find out subdomain related information:
    • AMASS
└─# amass enum -d
OWASP Amass v3.12.3                     
567 names discovered - alt: 565, cert: 1, scrape: 1
ASN: 15169 - GOOGLE - Google LLC          1    Subdomain Name(s)
        2607:f8b0:4006::/48     1    Subdomain Name(s)
ASN: 13335 - CLOUDFLARENET - Cloudflare, Inc.           1    Subdomain Name(s)
ASN: 20940 - AKAMAI-ASN1         565  Subdomain Name(s)         565  Subdomain Name(s)

The enumeration has finished
Discoveries are being migrated into the local database

    • SubBrute
    • Knockpy

└─# knockpy                                                                                                                    127 ⨯
Command 'knockpy' not found, but can be installed with:
apt install knockpy
Do you want to install it? (N/y)y
apt install knockpy
Reading package lists... Done
Building dependency tree... Done
Reading state information... Done
The following NEW packages will be installed:
0 upgraded, 1 newly installed, 0 to remove and 2 not upgraded.
Need to get 17.2 kB of archives.
After this operation, 68.6 kB of additional disk space will be used.
Get:1 kali-rolling/main amd64 knockpy all 4.1.0-4 [17.2 kB]
Fetched 17.2 kB in 1s (23.5 kB/s)  
Selecting previously unselected package knockpy.
(Reading database ... 276265 files and directories currently installed.)
Preparing to unpack .../knockpy_4.1.0-4_all.deb ...
Unpacking knockpy (4.1.0-4) ...
Setting up knockpy (4.1.0-4) ...
Processing triggers for kali-menu (2021.2.2) ...
Processing triggers for man-db (2.9.4-2) ...
└─# knockpy                                                                                                                    127 ⨯
usage: knockpy [-h] [--version] [-w WORDLIST] [-r] [-c] [-f] [-j] domain
knockpy: error: the following arguments are required: domain
└─# knockpy      

  _  __                 _                
 | |/ /                | |   4.1.1            
 | ' / _ __   ___   ___| | ___ __  _   _ 
 |  < | '_ \ / _ \ / __| |/ / '_ \| | | |
 | . \| | | | (_) | (__|   <| |_) | |_| |
 |_|\_\_| |_|\___/ \___|_|\_\ .__/ \__, |
                            | |     __/ |
                            |_|    |___/ 

+ checking for virustotal subdomains:SKIP
        VirusTotal API_KEY not found
+ checking for wildcard:YES
    "status_code": 301,
    "content_length": ""
+ checking for zonetransfer:NO
+ resolving target:YES
- scanning for subdomain...

Ip Address      Status  Type    Domain Name                     Server
----------      ------  ----    -----------                     ------          host  302     alias  302     alias  302     host  400     alias  400     alias  400     host   400     host
...(Omitted)            host  301     alias  301     alias  301     host           alias           host  302     alias  302     alias  302     host           alias           host

FOFA - FOFA(网络空间资产检索系统)是世界上数据覆盖更完整的IT设备搜索引擎,拥有全球联网IT设备更全的DNA信息。探索全球互联网的资产信息,进行资产及漏洞影响范围分析、应用分布统计、应用流行度态势感知等。


No comments:

Post a Comment