osintlisted

# OSINT Reconnaissance ## Methodology ### Phase 1 — Scope definition and initial collection ``` Target: domain, IP ranges, org name, LinkedIn company page, stock ticker Deliverables: attack surface map, employee list, technology stack, exposed assets ``` ### Phase 2 — Domain and infrastructure enumeration ```bash # DNS enumeration dig +any target.com nslookup -type=ANY target.com fierce --domain target.com dnsx -d target.com -a -aaaa -cname -mx -ns -txt # ASN and IP range discovery whois -h whois.radb.net -- '-i origin AS12345' bgp.he.net — manual lookup amass intel -org "Target Corp" # Certificate transparency (fast subdomain discovery) curl -s "https://crt.sh/?q=%.target.com&output=json" | jq '.[].name_value' | sort -u ``` ### Phase 3 — Subdomain enumeration ```bash # Passive (no direct target contact) amass enum -passive -d target.com subfinder -d target.com -all assetfinder target.com findomain -t target.com # Active (sends DNS queries) gobuster dns -d target.com -w /usr/share/seclists/Discovery/DNS/subdomains-top1million-110000.txt puredns bruteforce /usr/share/seclists/Discovery/DNS/bitquark-subdomains-top100000.txt target.com # Combine and resolve cat passive.txt active.txt | sort -u | httpx -status-code -title -tech-detect ``` ### Phase 4 — Email harvesting ```bash theHarvester -d target.com -l 500 -b google,bing,yahoo,linkedin,twitter hunter.io API — pattern discovery + verification phonebook.cz — email/subdomain/URL search emailrep.io — reputation scori