Passive

Passive Reconnaissance of a Web Application

Passive reconnaissance is the process of gathering information about a target (in this case, a web application) without directly interacting with its systems. This approach is stealthy and low-risk, as it relies on publicly available information and does not trigger security alerts. Below is a step-by-step description of how to perform passive reconnaissance on a web application:

---

1. Identify the Target Domain

• Objective: Gather basic information about the web application's domain.

• Tools/Websites:

  • WHOIS Lookup: Use whois.domaintools.com or whois.icann.org to find domain registration details, such as:

    • Domain owner

    • Registration date

    • Expiration date

    • Registrar information

    • Name servers

  • DNSDumpster: dnsdumpster.com provides DNS records, subdomains, and IP addresses associated with the domain.

---

2. Enumerate Subdomains

• Objective: Discover subdomains associated with the main domain.

• Tools/Websites:

  • Sublist3r: A tool to enumerate subdomains using search engines and other sources.

  • Crt.sh: crt.sh to find subdomains via SSL/TLS certificates.

  • SecurityTrails: securitytrails.com for historical DNS data and subdomain enumeration.

  • Google Dorks: Use search queries like site:*.example.com to find subdomains.

---

3. Analyze DNS Records

• Objective: Gather DNS information to understand the web app's infrastructure.

• Tools/Websites:

  • DNSDumpster: Provides DNS records (A, MX, TXT, etc.).

  • Dig: A command-line tool to query DNS records.

  • MXToolbox: mxtoolbox.com for DNS and MX record analysis.

---

4. Identify Technologies Used

• Objective: Determine the technologies (frameworks, CMS, server software) powering the web application.

• Tools/Websites:

  • BuiltWith: builtwith.com to identify technologies, frameworks, and plugins used.

  • Wappalyzer: A browser extension that detects technologies used on a website.

  • Netcraft: netcraft.com for server and technology analysis.

---

5. Gather Information from Search Engines

• Objective: Use search engines to find publicly available information about the web app.

• Tools/Websites:

  • Google Dorks: Use advanced search queries to find sensitive files, directories, or information. Examples:

    • site:example.com filetype:pdf

    • site:example.com intitle:"index of"

  • Bing/Google: Search for the web app's name or domain to find related content.

---

6. Check for Archived Content

• Objective: Find historical versions of the web application to uncover old or sensitive data.

• Tools/Websites:

  • Wayback Machine: archive.org/web/ to view historical snapshots of the website.

  • Archive.today: archive.today for saving and viewing archived web pages.

---

7. Analyze SSL/TLS Certificates

• Objective: Gather information from SSL/TLS certificates, such as validity, issuer, and associated domains.

• Tools/Websites:

  • SSL Labs: ssllabs.com to analyze SSL/TLS configuration.

  • Crt.sh: crt.sh to search for SSL certificates associated with the domain.

---

8. Social Media and Employee Information

• Objective: Gather information about employees, technologies, or other details from social media.

• Tools/Websites:

  • LinkedIn: Search for employees or job postings related to the company.

  • Twitter: Look for mentions of the web app or company.

  • GitHub: Search for repositories or code related to the web app.

---

9. Check for Leaked Data

• Objective: Search for leaked credentials, API keys, or sensitive data related to the web app.

• Tools/Websites:

  • Have I Been Pwned: haveibeenpwned.com to check if the domain or email addresses have been involved in data breaches.

  • DeHashed: dehashed.com for searching leaked credentials.

  • GitHub: Search for exposed API keys or sensitive data using GitHub's search feature.

---

10. Analyze Public Code Repositories

• Objective: Search for code or configuration files related to the web app.

• Tools/Websites:

  • GitHub: Search for repositories or code snippets related to the domain.

  • GitLab/Bitbucket: Similar to GitHub, search for public repositories.

---

11. Gather Information from Job Postings

• Objective: Identify technologies, frameworks, or tools used by the company.

• Tools/Websites:

  • LinkedIn Jobs: Look for job postings that mention specific technologies.

  • Indeed/Glassdoor: Search for job postings related to the company.

---

12. Use OSINT Frameworks

• Objective: Automate the collection of publicly available information.

• Tools/Websites:

  • SpiderFoot: An OSINT automation tool that integrates multiple data sources.

  • Maltego: A tool for visualizing relationships between entities and data points.

---

Summary of Passive Reconnaissance Steps

1. Gather domain information (WHOIS, DNS records).

2. Enumerate subdomains.

3. Identify technologies used (CMS, frameworks, server software).

4. Search for publicly available information (Google Dorks, social media).

5. Analyze historical data (Wayback Machine, archived content).

6. Check for leaked data or credentials.

7. Use OSINT tools to automate and visualize findings.