Apart of the active tests, with the passive analysis you can find critical vulnerabilities without even touching company’s assets. Below you can find some of the open-source tools that I curently use to perform the OSINT process on pentesting and bug bounty programs.

# Github research

Clone all the company repositories:

curl -s "https://api.github.com/users/company/repos?per_page=100" | jq -r ".[].git_url" | xargs -L1 git clone

Verify sensitive info on repos with GitLeaks tool:

gitleaks --repo-url=https://github.com/daniel-v/repo -v --report=new-report

To scan repos downloaded to the local directory:

gitleaks -p all-company-repos\ -o gitleak-results -v

Github Dorks:

"company.com.br" password
"company.com.br" access_token
"company.com.br" client_secret

"company.com.br" private_token
"company.com.br" secret
"company.com.br" credentials
"company.com.br" token
"company.com.br" config
"company.com.br" key
"company.com.br" db_password
"company.com.br" api-key
"company.com.br" ftp
"company.com.br" pwd

- extension:pem private
- extension:ppk private
- extension:sql mysql dump password
- extension:json [api.forecast.io](http://api.forecast.io)
- extension:json [mongolab.com](http://mongolab.com)
- extension:json client_secret

# Google Dorking

site:*.pastebin.com "company"
site:*.company.com.* inurl:login | inurl:signin | intitle:Login | intitle:"sign in" | inurl:auth
site:*.company.com.br filetype:pdf filetype:xls filetype:log
ext:json intext:password
site:company.com.br inurl:&
Site:company.com.br ext:php
Site:company.com.br inurl:admin
site:s3.amazonaws.com company

## Many more at https://www.exploit-db.com/google-hacking-database


Download all IPs from a target using Shodan API

shodan search ssl.cert.subject.cn:"company1.com.br,company2.com.br" --limit 1000 --fields ip_str > shodan-company-ips.txt

Shows information about target

shodan domain company.com.br

Find company domains using unsafe communications (HTTP)

ssl.cert.subject.cn:google.com -HTTP

IPs + ports using shodan API

shodan search ssl:"company1,company2" --fields ip_str,port --separator ", " > shodan-ipsANDports.txt


org:"Amazon" ssl:"company"
ssl:"yahoo" product:"Jetty"
Server: Werkzeug ssl:"norton"
ssl:"company" html:"Dashboard Jenkins"
ssl:”company development”

Useful tips

Check leaked credentials from company corporate emails

  • https://dehashed.com/search?query=@company.com.br
  • https://haveibeenpwned.com/
  • https://intelx.io/?s=company.com.br

Search for sensitive endpoints/files passively with open source tools

Go Spider tool:

gospider -s "https://company.com.br/" -o results -c 100 -d 1

Get all URLs (gau):

printf company.com.br | gau -t 500 -b css,png,jpeg,jpg,svg,gif,ttf,woff,woff2,eot,otf,ico,js

cat company-subdomains.txt | gau -t 500 -b css,png,jpeg,jpg,svg,gif,ttf,woff,woff2,eot,otf,ico,js > results-urls-gau.txt

Wayback URLs tool:

cat company-domains.txt | waybackurls > urls.txt

Return sensitive urls from Alienvault:

for sub in $(cat company-domains.txt);do /usr/bin/gron "https://otx.alienvault.com/otxapi/indicator/hostname/url_list/$sub?limit=100&page=1" | grep "\burl\b" | gron --ungron | jq |egrep -wi 'url' | awk '{print $2}' | sed 's/"//g'| sort -u | tee -a file.txt ;done


invoice, discount, promo-code, redirect, reset_password, reset-password, password, TrackOrder, token=