PaulDotCom mailing list archives
Recon tools
From: pj_mcgarvey at hotmail.com (PJ McGarvey)
Date: Tue, 10 Mar 2009 16:52:04 -0400
Awesome list. Pipl.com is another user enumeration tool, relatively new I think. -PJ Date: Tue, 10 Mar 2009 12:43:33 -0700 From: jcran at 0x0e.org To: pauldotcom at mail.pauldotcom.com Subject: Re: [Pauldotcom] Recon tools Check out spoke.com for something similar to rapleaf. ? here?s my ?basic? recon notes - jcran Netblocks / IP Ranges http://www.arin.net/ whois -h ws.arin.net All ips discovered in later parts of recon should be fed back to the ranges already gathered (and if you have an ip that doesn't fit in one of the already-discovered ranges, determine its range using ARIN, and add it to the list) Domains / DNS whois ? whois -h ws.arin.net $COMPANY ? whois -h whois.ripe.net $COMPANY ? whois -h whois.apnic.net $COMPANY ? whois -h whois.lacnic.net $COMPANY ? whois -h whois.afrinic.net $COMPANY Fierce Forward DNS lookup (Zone Transfer + Brute Force DNS) o fierce -dns $DOMAIN -wordlist hosts.list Reverse DNS lookup (given a range) o fierce -dnsserver $DNSSERVER -range $IPRANGE DNS Enum dmitry ip-geolocation.pl Application Information Browse the site / site map Use Fierce to brute force interesting hostnames Look for interesting hostnames such as citrix,app,ERP,CRM,etc Network Information firewalk scapy scapy-tracenet.py Generates graph-viz graphs of each node on the network. very handy for visualizing the devices / network. Halberd Halberd discovers HTTP load balancers. It is useful for web application security auditing and for load balancer configuration testing. LBD Load Balancer Detection: o lbd-0.1.sh $DOMAIN traceroute ping User Enumeration Spoke Log in Search for the company Get a list of the current employees In the browser window, type: o javascript:window.personListNames lead411.com Hoovers Jigsaw Facebook goog-mail.py Search Engine / Relationship analysis Tool SEAT BidiBlah (Sensepost) Goolag Maltego Web Sites GoogleHack Generator Netcraft Internet Archive Windows Live Search (ip search) XSSed - Look for the company / partners / other exploitable vectors for From: pauldotcom-bounces at mail.pauldotcom.com [mailto:pauldotcom-bounces at mail.pauldotcom.com] On Behalf Of Adrian Crenshaw Sent: Tuesday, March 10, 2009 1:49 PM To: PaulDotCom Security Weekly Mailing List Subject: [Pauldotcom] Recon tools Hi All, What are some good sites for doing recon on an organization via DNS tools/Google/Metadata etc? I'm doing a class shortly on it, and wanted some suggestions on things to show off besides Mattego. Anyone know a good replacement for http://www.rapleaf.com ? It use to be good, but now is useless with the current TOS. I'll start the list: Tools: Metagoofil: http://www.edge-security.com/metagoofil.php Maltego: http://www.paterva.com/maltego/community-edition/ Sites: http://regex.info/exif.cgi http://tineye.com/ http://www.domaintools.com/ You really need out checkout Tineye, I found out about it on Cyberspeakers. -------------- next part -------------- An HTML attachment was scrubbed... URL: http://mail.pauldotcom.com/pipermail/pauldotcom/attachments/20090310/5ff4a2eb/attachment.htm
Current thread:
- Recon tools Adrian Crenshaw (Mar 10)
- Recon tools Raffi Jamgotchian (Mar 10)
- Recon tools Adrian Crenshaw (Mar 10)
- Recon tools Robin Wood (Mar 10)
- Recon tools James Costello (Mar 10)
- Recon tools Daniel [Virturity.com] (Mar 10)
- Recon tools Adrian Crenshaw (Mar 10)
- Recon tools Raffi Jamgotchian (Mar 10)
- Recon tools Jonathan Cran (Mar 10)
- Recon tools PJ McGarvey (Mar 10)