Recon Methods Part 2 – OSINT Host Discovery Continued

by Corey Oversteet

In part 1, we discussed how to start with a target’s name and research a company’s history through Wikipedia, gain information about external hosts with DNSDumpster, and continue host discovery with Hurricane Electric’s BGP Toolkit. We will continue our recon by searching Shodan, using SSL certificate search engines, SpyOnWeb, Archive.org, and viewing job listings. As an example, we will take a look at a company that recently restructured. Although this information is publicly available, we have chosen to redact the name of the company and identifiable information from the results.

Shodan

We’ll continue our recon with the Shodan. Shodan is a search engine for devices on the internet. When a device is found, they record details about the available services, headers returned during interactions, and geolocation of the physical host. We can use this information when profiling the attack surface of our target. Shodan offers a web interface and a command line tool. The web interface offers a concise rundown of the available services and recorded headers/SSL session information while interacting with the host, ASN and ISP information for the IP address, and the geolocation of the IP address.

Shodan also offers a command line interface (CLI). The Shodan CLI is easier to use when needing to perform searches against a target with large numbers of hosts/IP addresses. While the web interface will have the same results, we would have to go through each result one by one. The Shodan CLI can return all of the results in JSON format for further parsing.

SSL Certificate Search

Another host discovery method we use are SSL certificate search engines such as crt.sh and Censys. Both search engines provide results based on SSL certificates observed while scanning the internet ...

Full article: https://www.redsiege.com/blog/2020/02/recon-methods-part-2-osint-host-discovery-continued/