Apart of the active tests, with the passive analysis you can find critical vulnerabilities without even touching company’s assets. Below you can find some of the open-source tools that I curently use to perform the OSINT process on pentesting and bug bounty programs.
# Github researchClone all the company repositories:
curl -s "https://api.github.com/users/company/repos?per_page=100" | jq -r ".[].git_url" | xargs -L1 git cloneVerify sensitive info on repos with GitLeaks tool:
gitleaks --repo-url=https://github.com/daniel-v/repo -v --report=new-reportTo scan repos downloaded to the local directory:
gitleaks -p all-company-repos\ -o gitleak-results -vGithub Dorks:
"company.com.br" password
"company.com.br" access_token
"company.com.br" client_secret
"company.com.br" private_token
"company.com.br" secret
"company.com.br" credentials
"company.com.br" token
"company.com.br" config
"company.com.br" key
"company.com.br" db_password
"company.com.br" api-key
"company.com.br" ftp
"company.com.br" pwd
## USING THE SAME COMPANY KEYWORD, FILTER BY EXTENSIONS:
- extension:pem private
- extension:ppk private
- extension:sql mysql dump password
- extension:json [api.forecast.io](http://api.forecast.io)
- extension:json [mongolab.com](http://mongolab.com)
- extension:json client_secret
site:*.pastebin.com "company"
site:*.company.com.* inurl:login | inurl:signin | intitle:Login | intitle:"sign in" | inurl:auth
site:*.company.com.br filetype:pdf filetype:xls filetype:log
ext:json intext:password
site:*.company.*
site:company.com.br inurl:&
Site:company.com.br ext:php
Site:company.com.br inurl:admin
site:s3.amazonaws.com company
## Many more at https://www.exploit-db.com/google-hacking-databaseDownload all IPs from a target using Shodan API
shodan search ssl.cert.subject.cn:"company1.com.br,company2.com.br" --limit 1000 --fields ip_str > shodan-company-ips.txtShows information about target
shodan domain company.com.brFind company domains using unsafe communications (HTTP)
ssl.cert.subject.cn:google.com -HTTPIPs + ports using shodan API
shodan search ssl:"company1,company2" --fields ip_str,port --separator ", " > shodan-ipsANDports.txtOthers:
org:"Amazon" ssl:"company"
ssl:"yahoo" product:"Jetty"
Server: Werkzeug ssl:"norton"
ssl:"company" html:"Dashboard Jenkins"
ssl:”company development”Useful tips
Check leaked credentials from company corporate emails- https://dehashed.com/search?query=@company.com.br
- https://haveibeenpwned.com/
- https://intelx.io/?s=company.com.br
Go Spider tool:
gospider -s "https://company.com.br/" -o results -c 100 -d 1
Get all URLs (gau):
printf company.com.br | gau -t 500 -b css,png,jpeg,jpg,svg,gif,ttf,woff,woff2,eot,otf,ico,js
cat company-subdomains.txt | gau -t 500 -b css,png,jpeg,jpg,svg,gif,ttf,woff,woff2,eot,otf,ico,js > results-urls-gau.txt
Wayback URLs tool:
cat company-domains.txt | waybackurls > urls.txt
Return sensitive urls from Alienvault:
for sub in $(cat company-domains.txt);do /usr/bin/gron "https://otx.alienvault.com/otxapi/indicator/hostname/url_list/$sub?limit=100&page=1" | grep "\burl\b" | gron --ungron | jq |egrep -wi 'url' | awk '{print $2}' | sed 's/"//g'| sort -u | tee -a file.txt ;done
Keywords:
invoice, discount, promo-code, redirect, reset_password, reset-password, password, TrackOrder, token=