๐ŸŽฏ Lab Objectives

  • Understand what passive recon is and why it comes before active scanning
  • Use Google dorks to find sensitive information on targets
  • Extract domain registration, DNS, and email data
  • Discover internet-exposed devices with Shodan
  • Compile findings into a structured recon report
๐Ÿ‘ถ
Passive vs Active: Passive recon means you never send a single packet to the target โ€” you only use public information. This is 100% legal and leaves no traces on the target's logs.

Step 1 โ€” What is OSINT?

OSINT stands for Open Source Intelligence โ€” intelligence gathered from publicly available sources. Before any penetration test, professional hackers spend hours or days on OSINT to understand the target's infrastructure, employees, technologies, and potential weak points.

The goal: learn as much as possible without touching the target.

Step 2 โ€” Google Dorking

Google search operators (called "dorks") let you find specific types of content that are accidentally exposed online.

# Find files on a specific domain
site:example.com filetype:pdf
site:example.com filetype:xls
site:example.com filetype:sql

# Find login pages
site:example.com inurl:login
site:example.com intitle:"admin panel"

# Find exposed directories
site:example.com intitle:"index of"

# Find configuration files
site:example.com ext:env OR ext:config OR ext:ini

# Find subdomains
site:*.example.com

# Find cached versions
cache:example.com

# GHDB โ€” Google Hacking Database
# exploit-db.com/google-hacking-database
# 7000+ ready-made dorks sorted by category

Step 3 โ€” whois & DNS Enumeration

# Who owns the domain?
whois example.com

# DNS records โ€” A, MX, NS, TXT
dig example.com ANY
dig example.com MX
dig example.com NS
dig example.com TXT   # often reveals SPF, DMARC, verification tokens

# Reverse DNS โ€” what hostname is at this IP?
dig -x 93.184.216.34

# Find all DNS records quickly
nslookup -type=ANY example.com

# DNS zone transfer (if misconfigured, dumps all records)
dig axfr @ns1.example.com example.com

# Certificate Transparency logs โ€” find subdomains
# Visit: https://crt.sh/?q=%.example.com
# Lists every SSL cert ever issued for the domain

# Alternative crt.sh via curl
curl -s "https://crt.sh/?q=%.example.com&output=json" | python3 -m json.tool | grep name_value | sort -u

Step 4 โ€” theHarvester

theHarvester scrapes multiple sources at once โ€” search engines, Shodan, LinkedIn, etc. โ€” to find emails, subdomains, and IPs associated with a domain.

# Basic usage โ€” search multiple sources
theHarvester -d example.com -b all

# Specific sources
theHarvester -d example.com -b google
theHarvester -d example.com -b bing,yahoo,linkedin

# Save results to file
theHarvester -d example.com -b all -f output.html

# Available sources:
# google, bing, yahoo, baidu, linkedin, twitter,
# shodan, censys, hunter, intelx, rapiddns, ...

# What theHarvester finds:
# - Email addresses (employee emails = phishing targets)
# - Subdomains
# - IP addresses
# - Open ports (via Shodan integration)
# - LinkedIn employee names

Step 5 โ€” Shodan

Shodan is a search engine for internet-connected devices โ€” servers, cameras, routers, industrial systems. It scans the entire internet and indexes what it finds.

# Web interface: shodan.io (create free account)
# CLI: pip install shodan
shodan init YOUR_API_KEY

# Search for systems running a specific software
shodan search "apache 2.4.49"   # vulnerable version
shodan search "nginx 1.14"

# Find systems in a specific organisation
shodan search org:"Example Corporation"

# Find open RDP servers in a country
shodan search "port:3389 country:US"

# Look up an IP address
shodan host 93.184.216.34

# Search by domain (paid feature)
shodan domain example.com

# Useful Shodan filters:
# port:22         โ†’ SSH servers
# port:3389       โ†’ RDP (Windows Remote Desktop)
# product:IIS     โ†’ Microsoft web servers
# os:"Windows"    โ†’ Windows systems
# has_vuln:true   โ†’ systems with known CVEs (paid)

Step 6 โ€” Wayback Machine

# The Wayback Machine archives websites over time
# Great for finding old pages, removed content, old credentials

# Web: https://web.archive.org

# CLI tool: waybackurls (Go)
go install github.com/tomnomnom/waybackurls@latest
waybackurls example.com | tee urls.txt

# Look for interesting old paths
cat urls.txt | grep -E "\.(sql|bak|config|env|zip|tar)"
cat urls.txt | grep "admin\|login\|api\|debug"

# gau โ€” get all URLs from multiple sources
sudo apt install gau -y
gau example.com | tee all_urls.txt

Step 7 โ€” Social Media OSINT

# LinkedIn โ€” find employees and their job titles
# Search: site:linkedin.com/in "Example Corp"
# Reveals: names, titles, technologies they use ("We use AWS Lambda")

# Twitter/X โ€” employees often share technical details
# Search: from:johndoe example.com OR VPN OR AWS

# GitHub โ€” developers push secrets accidentally
# Search GitHub for: org:examplecorp password OR secret OR api_key

# GitDorker โ€” automate GitHub OSINT
git clone https://github.com/obheda12/GitDorker
python3 GitDorker.py -t TOKEN -d examplecorp -tf dorks.txt

# TruffleHog โ€” scan repos for leaked secrets
trufflehog github --org=examplecorp

# Email format guesser
# Once you know employees' names, guess emails:
# john.doe@example.com
# jdoe@example.com
# j.doe@example.com
# Use hunter.io to identify the format used by the company

Step 8 โ€” Maltego

Maltego visualises relationships between people, domains, IPs, and organisations as a graph.

# Launch Maltego on Kali
maltego

# Free Community Edition available at maltego.com
# Create account โ†’ sign in โ†’ choose "Maltego CE (Free)"

# Typical workflow:
# 1. Create new graph
# 2. Drag a "Domain" entity onto the canvas
# 3. Type in your target domain
# 4. Right-click โ†’ Run All Transforms
# 5. Maltego auto-discovers: subdomains, IPs, emails, MX records
# 6. Right-click any discovered IP โ†’ Run transforms on it
# 7. The graph expands, showing relationships

Step 9 โ€” Building a Recon Report

# Always document your findings. Sample structure:

TARGET: example.com
DATE: 2025-06-15

== DOMAIN INFO ==
Registrar: GoDaddy
Registered: 2010-03-12
Registrant: John Smith (john@example.com)
Name Servers: ns1.example.com, ns2.example.com

== SUBDOMAINS FOUND ==
mail.example.com     โ†’ 203.0.113.10
dev.example.com      โ†’ 203.0.113.11 (dev environment!)
old.example.com      โ†’ 198.51.100.5 (old server, may be unpatched)

== EMAILS FOUND ==
john@example.com
admin@example.com
support@example.com

== TECHNOLOGIES ==
Web server: nginx 1.18
CMS: WordPress 6.1
CDN: Cloudflare

== INTERESTING FINDINGS ==
- dev.example.com runs PHP 7.2 (EOL, no security updates)
- GitHub repo "examplecorp/infra" contains commented-out DB password
- LinkedIn shows 3 sysadmin employees โ€” potential social engineering targets
โœ…
Lab Complete! OSINT is Phase 1 of every real engagement. The more you know before scanning, the more targeted and stealthy your active testing can be.
Next: Active Scanning โ†’ โ† All Labs
// guided terminal

Try It Live

Type the commands from the steps above. The terminal simulates the expected output for this lab.

KaliRange ~ Terminal type help for commands