bolus Posted August 22, 2017 Share Posted August 22, 2017 When you're running the OSINT and passive part of your engagement, what's the typical order of tools that you tend to run through? Dig, Fierce, DNS Recon Google hacks, Shodan, netcraft, built with Harvester Recon-ng, OSINT Framework Nikto Skipfish HTTrack, Burpsuite etc. etc. How do you structure your part of a pen test? Quote Link to comment Share on other sites More sharing options...
digininja Posted August 22, 2017 Share Posted August 22, 2017 Nikto and Skipfish are not part of the OSINT or passive section, both are very active tools. Haven't used Skipfish for years as it used to be able to DoS most sites unless you were very careful using it. Burpsuite maybe but only if you are using it to purely look at traffic when viewing the site and not sending any additional attacks from it. The other tools are all relevant, they tend to flow into each other, for example if Harvester finds a new domain then you pass that through dnsrecon, you could then Google hack and find other things that flow back into Harvester. Quote Link to comment Share on other sites More sharing options...
digip Posted August 23, 2017 Share Posted August 23, 2017 (edited) For outside the network lookup of info without touching the site directly: nslookup, whois, Virustotal for DNS and sub domains on same IP for same site, and of course google. If scanning directly, host (is probably a better tool than nslookup if you want to check AXFR), nmap and occasionally Nikto(change the default user-agent though!) as well as gobuster. There is also google's HTTPS transparency reports that shows more sub-domains and history of certs, but that falls into the google hacking category too I guess. httrack to me is more like wget set to spider a site, which can be done to download the whole site from a single URL, but if you want to check for things not followed by a known URL, use a word list with dirb or gobuster. They are good for bruting both directories and sub-domains and can often find things you wouldn't normally from just a crawl of the site. Oddly, a great spider utility, is the SEO tool ScreamingFrog's SEO Spider. It can output things to a spreadsheet, and something I use for work purposes outside of what could also be used for a pentest/audit of a site's topology. Well worth the paid full version too! Edited August 25, 2017 by digip Quote Link to comment Share on other sites More sharing options...
bolus Posted August 25, 2017 Author Share Posted August 25, 2017 Thanks both for your feedback, very interesting and useful Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.