Collect organisation information

  • Employee information

  • Organisation’s background

  • Phone numbers

  • Locations

Advanced searches

Search engines can be used to gather information about the target organisation. Search results can include , and other information that could be useful.

Search engines crawl the world wide web day and night to index new web pages and files. Sometimes this can lead to indexing confidential information:

  • Information about employees

  • Intranet information

  • Login pages

  • Documents for internal company use

  • Confidential spreadsheets with usernames, email addresses, and even passwords

  • Files containing usernames

  • Sensitive directories

  • Service version number (some of which might be vulnerable and unpatched)

  • Error messages

Google dorking

Google dorking is a technique which involves using a set of search operators and building complex queries. The operators that are used in Google hacking are called dorks.

Email footprinting

Email footprinting involves collecting information from emails by monitoring the email delivery and inspecting the headers:

  • IP address of the recipient

  • Geolocation of the recipient

  • Delivery information

  • Visited links

  • Browser and OS information

  • Reading time

Email headers contain information about the sender, subject, and recipient. All this information is valuable to hackers when planning to attack their target.

Information contained in email headers include:

  • Sender’s name

  • IP/Email address of the sender

  • Mail server

  • Mail server authentication system

  • Send and delivery stamp

  • Unique number of the message

Email tracking tools have the capability of tracking emails and inspecting their headers to extract useful information. The sender is notified of the email being delivered and opened by the recipient.

Assets discovery

Assets discovery involves collecting all the company names owned by a main company and then all the assets of these companies:

  • Find the acquisitions of the main company, this will give the companies inside the scope.

  • Find the ASN (if any) of each company, this will give the IP ranges owned by each company.

  • Use reverse whois lookups to search for other entries (organisation names, domains…) related to the first one (recursively).

  • Shodan and SSL filters can be used to search for other assets (the SSL trick can be done recursively).

Investigating social media

The private world of yesterday is now an online world. Everyone with a search engine has open access to social networks, government databases, and public records.

Social media websites have become very popular for not only personal use but also for corporate use. Some social media platforms can reveal tons of information about the target. This is especially true as many users tend to overshare details about themselves and their work. To name but a few, it’s worthwhile checking the following:

  • LinkedIn

  • Twitter

  • Facebook

  • Instagram

  • Google groups

Social media scraping can automate discovering names, email addresses, phone numbers, biographies.

Visit job listing sites

Job advertisements can also tell a lot about an organisation. In addition to revealing names and email addresses, job posts for technical positions could give insight into the target’s systems and infrastructure. The popular job posts might vary from one country to another. Make sure to check job listing sites in the countries where the target would post their ads. And it is always worth checking their website for any job opening and seeing if this can leak any interesting information.