Jump to content

OSINT/Passive: Typical order of tools used


Recommended Posts

When you're running the OSINT and passive part of your engagement, what's the typical order of tools that you tend to run through? 

Dig, Fierce, DNS Recon

Google hacks, Shodan, netcraft, built with


Recon-ng, OSINT Framework



HTTrack, Burpsuite


etc. etc.

How do you structure your part of a pen test?

Link to comment
Share on other sites

Nikto and Skipfish are not part of the OSINT or passive section, both are very active tools. Haven't used Skipfish for years as it used to be able to DoS most sites unless you were very careful using it. Burpsuite maybe but only if you are using it to purely look at traffic when viewing the site and not sending any additional attacks from it.

The other tools are all relevant, they tend to flow into each other, for example if Harvester finds a new domain then you pass that through dnsrecon, you could then Google hack and find other things that flow back into Harvester.

Link to comment
Share on other sites

For outside the network lookup of info without touching the site directly: nslookup,  whois, Virustotal for DNS and sub domains on same IP for same site, and of course google.

If scanning directly, host (is probably a better tool than nslookup if you want to check AXFR), nmap and occasionally Nikto(change the default user-agent though!) as well as gobuster.

There is also google's HTTPS transparency reports that shows more sub-domains and history of certs, but that falls into the google hacking category too I guess.

httrack to me is more like wget set to spider a site, which can be done to download the whole site from a single URL, but if you want to check for things not followed by a known URL, use a word list with dirb or gobuster. They are good for bruting both directories and sub-domains and can often find things you wouldn't normally from just a crawl of the site.

Oddly, a great spider utility, is the SEO tool ScreamingFrog's SEO Spider. It can output things to a spreadsheet, and something I use for work purposes outside of what could also be used for a pentest/audit of a site's topology. Well worth the paid full version too!


Edited by digip
Link to comment
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

  • Recently Browsing   0 members

    • No registered users viewing this page.
  • Create New...