To follow along with the exercises in this chapter, please ensure that you have met the following hardware and software requirements:

• Kali Linux – https://www.kali.org/get-kali/
• DNSmap – https://github.com/resurrecting-open-source-projects/dnsmap
• Sublist3r – https://github.com/aboul3la/Sublist3r
• Sherlock – https://github.com/sherlock-project/Sherlock

If you’re unable to connect to the internet from Kali Linux, use the cat /etc/resolv.conf command to determine whether your Domain Name System (DNS) servers are set correctly on Kali Linux, then use the sudo systemctl restart NetworkManager command to restart the Network Manager stack. As a last resort, you can restart the Kali Linux operating system.

The concept of Google hacking, commonly referred to as Google dorking, is not the process of hacking into Google’s network infrastructure or systems, but rather leveraging the advanced search parameters within the Google search engine to filter specific results. Many organizations don’t always pay close attention to which systems and resources they are exposing on the internet. Google Search is a very powerful search platform that crawls/indexes everything on the internet and filters most malicious websites. Since Google indexes everything, the search engine can automatically discover hidden online directories, resources, and login portals of many organizations. Keep in mind that while Google’s search capabilities can be used for finding sensitive information, over recent years, Google has taken steps to prevent abuse of its platform.

Domain reconnaissance involves collecting information about a target-owned domain, which helps cybercriminals, ethical hackers, and penetration testers to identify whether the targeted organization has any exposed systems and network infrastructure that can be leveraged when planning a future attack. In addition, it helps ethical hackers and penetration testers to determine the external attack surface of an organization, that is, identifying all the internet-facing systems, their operating systems, open ports, and running services with the intention of discovering security vulnerabilities that can be exploited by real attackers. Domain reconnaissance can be classified as active reconnaissance if the ethical hacker or penetration tester is retrieving the domain records from a DNS server that’s owned by the target. However, with passive information gathering, the information is collected from other trusted sources that are not directly linked to the target...

Every day, search engines such as Bing, Google, and Yahoo frequently learn and index new and existing websites to improve their search results. If a person searches for a company’s website, you’re likely to discover the primary domain, such as example.com. A lot of organizations create sub-domains for various reasons, but as an aspiring ethical hacker and penetration tester, discovering all the possible sub-domains of a targeted organization can lead to finding sensitive locations and resources, such as login portals and unintentionally exposed corporate directories, which may contain confidential files and resources.

In this section, you’ll learn how to identify sub-domains using DNSMap and Sublist3r.

Enumeration with DNSMap

DNSMap works a bit differently from the tools we looked at in the previous sections. DNSMap attempts to enumerate the sub-domains of a targeted parent domain by querying a built-in wordlist within Kali Linux...

While many organizations think their network infrastructure is hidden behind their public IP address and that threat actors are unable to determine their internal infrastructure, threat actors use various OSINT techniques and tools to identify the systems and applications that are running within a targeted organization.

Over the next sub-sections, you will learn how organizations are leaking technical details about their internal network and how they can be leveraged by threat actors to improve their cyber-attacks.

Data leakage on job websites

Over the years, I’ve noticed many organizations leak a lot of data about their internal infrastructure and systems, which can help adversaries improve their plan of attack and identify security vulnerabilities within an organization by simply analyzing public information. For instance, a recruiter may post a vacancy on a job board or their company’s website for job seekers....

Around the world, employees of many organizations commonly leak and share too much information about themselves and their organization without realizing how a threat actor or adversary can collect and analyze such information to plan a cyber-attack or improve a threat towards their organizations and themselves. Quite often, you’ll notice that many employees of the leadership team for an organization commonly share their contact details on professional social networking platforms, such as the following types of information:

• Full name and job title
• Company’s email address
• Telephone number
• Roles and responsibilities
• Recent projects with technical details
• Pictures of their employee badges

As a penetration tester, it’s quite simple to create an account that will function as a sock puppet on a site such as LinkedIn, populate some false information on the account, such as...

Employees of an organization often leak too much information about themselves and their company. While many employees are very happy to be working in their organizations, sometimes, they share information that can be leveraged by threat actors to improve their attack on a target. As an aspiring ethical hacker and penetration tester, collecting and analyzing information from social media platforms can be useful in finding employee profiles with weak privacy, which are not secure, and collecting any sensitive data from their profiles.

The following is some information that’s commonly leaked:

• Employee contact information, such as telephone numbers and email addresses, which can be used during social engineering and account takeover attacks.
• Sharing photos with their employee badges, which can be used by a threat actor to create a fake ID for impersonation for physical penetration testing.
• Pictures...

During this chapter, you have learned how to apply various Google hacking techniques to perform advanced search and filtering to identify sensitive directories and exposed resources on the internet. In addition, you have gained the hands-on skills needed to perform domain reconnaissance to collect and analyze DNS records, perform zone transfer, and identify the sub-domains of a target. Furthermore, you have learned how to leverage specialized internet search engines to identify exposed assets of companies around the world and gained a better understanding of how OSINT helps ethical hackers and penetration testers to develop a profile about their targets.

I trust that the knowledge presented in this chapter has provided you with valuable insights, supporting your path toward becoming an ethical hacker and penetration tester in the dynamic field of cybersecurity. May this newfound understanding empower you in your journey, allowing you to navigate the industry with confidence...

• OSINT – https://www.imperva.com/learn/application-security/open-source-intelligence-osint/
• Top OSINT tools – https://www.csoonline.com/article/567859/what-is-osint-top-open-source-intelligence-tools.html
• What is WHOIS? – https://www.domaintools.com/support/what-is-whois-information-and-why-is-it-valuable/

Join our community on Discord

Join our community’s Discord space for discussions with the author and other readers:

https://packt.link/SecNet