Really useful in the first phases of a penetration test
XRay is a tool for network OSINT gathering developed by Simone Margaritelli, useful to make initial tasks of information gathering and network mapping.
It make a bruteforce of subdomains using a wordlist and DNS requests, and for every subdomain/ip found retrieves from Shodan the open ports and from ViewDNS some historical data. Finally, for every unique ip address, and for every open port, it launch specific banner grabbers and info collectors.
Grabbers and Collectors
HTTP Server, X-Powered-By and Location headers.
HTTP and HTTPS robots.txt disallowed entries.
HTTPS certificates chain.
HTML title tag.
DNS version.bind. and hostname.bind. records.
MySQL, SMTP, FTP, SSH, POP and IRC banners.
Anonymity and Legal Issues
The software will rely on your main DNS resolver in order to enumerate subdomains, also, several connections might be directly established from your host to the computers of the network you’re scanning in order to grab banners from open ports. Technically, you’re just connecting to public addresses with open ports (and there’s no port scanning involved, as such information is grabbed indirectly using Shodan API), but you know, someone might not like such behaviour.
If I were you, I’d find a way to proxify the whole process … #justsaying
Usage: xray -shodan-key YOUR_SHODAN_API_KEY -domain TARGET_DOMAIN Options: -address string IP address to bind the web ui server to. (default "127.0.0.1") -consumers int Number of concurrent consumers to use for subdomain enumeration. (default 16) -domain string Base domain to start enumeration from. -port int TCP port to bind the web ui server to. (default 8080) -preserve-domain Do not remove subdomain from the provided domain name. -session string Session file name. (default "<domain-name>-xray-session.json") -shodan-key string Shodan API key. -viewdns-key string ViewDNS API key. -wordlist string Wordlist file to use for enumeration. (default "wordlists/default.lst")
In 2002, Johnny Longbegan to collect interesting Google search queries that uncovers vulnerable systems or sensitive information, and calls them “Google dorks”.
We identify with “Google Dorking” the method for finding vulnerable targets using the google dorks in order to obtain usernames and passwords, email lists, sensitive documents and website vulnerabilities.
Ethical hackers can use the “Google Dorking” to improve system security, but also a black hat could use this technique for illegal activities, including cyber terrorism, industrial espionage, and identity theft.
Common Vulnerabilities and Exposures is a dictionary of common names for publicly known cybersecurity vulnerabilities. CVE’s common identifiers make it easier to share data across separate network security databases and tools, and provide a baseline for evaluating the coverage of an organization’s security tools.
“ Inj3ct0r is the ultimate database of exploits and vulnerabilities and a great resource for vulnerability researchers and security professionals. Our aim is to collect exploits from submittals and various mailing lists and concentrate them in one, easy-to-navigate database.”
Packet Storm provides around-the-clock information and tools in order to help mitigate both personal data and fiscal loss on a global scale. As new information surfaces, Packet Storm releases everything immediately through it’s RSS feeds, Twitter, and Facebook.
The Vulnerability Laboratory helps with the world’s first independent bug bounty hacker community. Leverage their skills and creativity to surface your critical vulnerabilities before criminals can exploit them.
“Since its inception in 1999, SecurityFocus has been a mainstay in the security community. From original news content to detailed technical papers and guest columnists, we’ve strived to be the community’s source for all things security related. SecurityFocus was formed with the idea that community needed a place to come together and share its collected wisdom and knowledge.”
Checkdesk Check brings newsrooms and citizen journalists together to verify real time news anywhere in the world.
Citizen Desk Tool to help aggregate, verify and publish news reports from citizen journalists.
Emergent Emergent is a real-time rumor tracker. It’s part of a research project with the Tow Center for Digital Journalism at Columbia University that focuses on how unverified information and rumor are reported in the media. It aims to develop best practices for debunking misinformation.
Fact Check A project of the Annenberg Public Policy Center of the University of Pennsylvania
SurfCanyon “Real-time contextual search technology that observes user behavior in order to disambiguate intent “on the fly,” and then automatically bring forward to page one relevant results that might otherwise have remain buried.”
There are many output methods: –o will output to a file in the same format that is printed to screen, -c will output a csv, and –w will output an html file.
Open-Source INTelligence (OSINT) is intelligence collected from publicly available sources. In the intelligence community (IC), the term “open” refers to overt, publicly available sources (as opposed to covert or clandestine sources); it is not related to open-source software or public intelligence.