Key Techniques for Passive Reconnaissance:

• WHOIS Lookups: This can provide domain registration details, including the name, address, phone number, and email of the organization or individuals who own the domain. Tools like WHOIS or DomainTools can be used for this purpose.

• DNS Interrogation: The Domain Name System (DNS) is often a goldmine of information. By querying DNS records (A, MX, NS, and TXT), the tester can find subdomains, mail servers, and potentially vulnerable resources. Tools like Dig or Fierce can be helpful for DNS enumeration.

• Public Records: Search for any publicly accessible documents, such as annual reports, data breach disclosures, press releases, or any information posted by the target company. Websites like Shodan, Censys, or Google Dorking can help uncover these documents.

• Social Media and OSINT (Open-Source Intelligence): By monitoring social media platforms (Twitter, LinkedIn, Facebook, etc.), hackers can gather valuable information like employee names, job titles, technologies used, or even system configurations. Tools like Maltego can be used to automate OSINT collection.

• Google Dorking: By crafting specific search queries (known as "Google Dorks"), a penetration tester can find publicly accessible files, such as passwords, security misconfigurations, or other sensitive information. For example:

  • site:example.com filetype:pdf might return publicly available PDFs from the target site.
  • intitle:"Index of" password can find exposed directory listings containing password files.

• Shodan: A search engine that lets you find internet-connected devices (like routers, webcams, or servers). Shodan can identify exposed devices that might not be secured properly, providing insight into possible targets.