When gathering background information:

  • Understand that not all gathered information will be useful to your pen test.
  • Understand the difference between OSINT and closed-source intelligence.
  • Recognize which sources provide OSINT and which provide closed-source intelligence.
  • Perform Whois queries to obtain domain registration information.
  • Examine the organization's main website to identify more about its personnel and its business operations.
  • Look for any related sites, like a partner site, to corroborate or add to the information that you've gathered.
  • Examine the organization's or its employees' social media profiles to find any revealing information.
  • Search job boards to identify personnel issues or the technology that the organization uses.
  • Conduct Google hacking to run advanced search queries on website data.
  • Examine news articles and press releases for information on current or upcoming business operations.
  • Query DNS to obtain domain, subdomain, and additional information about the organization's network structure.
  • Attempt to leverage poorly configured servers for zone transfers to discover more DNS information.
  • Identify email addresses and how they may be used as account names.
  • Identify the domain's use of MX and SPF records to influence your email-based tests.
  • Identify SANs in SSL/TLS certificates to discover subdomains.
  • Search through CT logs to find past certificate issuances to resources.
  • Use Shodan to discover Internet-connected IoT and other non-traditional computing devices.
  • Use theHarvester and Recon-ng to perform many of the previous techniques from the command line.
  • Use Maltego to visualize connections between OSINT objects.
  • Use FOCA to extract metadata from files available for download.