Chapter 9 Open Source Intelligence

Searching is half the fun: life is much more manageable when thought of as a scavenger hunt as opposed to a surprise party.

9.1 Introduction

An important part of being a penetration tester is gathering as much information about the systems as possible. In this lab we will explore three information gathering tools.

  • DNS Lookup tools
  • Harvester
  • Maltego
  • Password Lists

9.2 WhoIs

Domain Registrars keep information on their host this information is public available. The WHOIS linux command also you query this information.

Step 1 Open the terminal and type: whois

[Include screenshot]

The whois command will return the information that domain registrar has on the domain. To begin collecting formation on the an their network.

9.3 The Harvester

Harvester is a tool that utilizes that lets you search Google, Bing, Linked-In, PGP (public key servers for email addresses that belong to a specific domain.)

Step 1 Open terminal and type theharvester. You will see a list of all the options that the harvester support

[include a screen shot]

Step 2 Run the following command in the linux terminal

theharvester -d microsoft -l 200 -b linkedin 

This will list the first reasources that finds by searching linkedin that are related to the microsoft domain.

[Include screen shot]

9.4 Maltego:

The first tool that we will look at is maltego is a liny analysis tool that allows us to analyze links between entities. These entities could be websites, domains, networks.
Let’s get started by setting up Maltego.

Step 1 Click on the maltego icon in Kali Linux.

[Include Screen Shot]

Step 2 Create an account. Don’t use your readdress. Use to create a fake email account.

[You you get blocked, download Opera and enable the VPN.

[Include Screen Shot]

Step 3 Select the option to create a new graph.

[Include Screen]

Step 4 Add a domain entity to graph (enter in the entity)

[Include Screen]

Step 5 Run all transforms on the entity.

[Include Screen Shot]

Step 6 Install the additonal transforms by selecting transforms ->TransformsHub (Install the haveibeenpwned tranform)

[Include Screen Shot]

Step 7: Go back to graph run the haveibeenpwnd. (Transform on people that you have found)

[Screen Shot hide names]

9.5 List of comprised passwords.

Great you run maltego and have discovered that someone password in contained in one of these list. The question now becomes. How do you obtain this list? A list of “clear text” pwned passwords are available here. You will need a torrent client.

###BONUS section: Great hackers write their own tools. See if you could write a program that takes the email address that are output by the harvester plugin and test them against, the API. Here is the link to the API .