This article will not provide detailed, step-by-step instructions on “How to Do It.” Instead, it will offer a checklist of some preparations you should make and information you should have in place before starting.
This is the first part of a series. Let’s begin.
-> Mindset
Keep in mind that information gathering is not just the most important phase of hacking; it is not a linear process , it is more like a cyclical process. So Be prepared to repeat the steps as needed throughout the process. every time you find something new! That’s essential, not optional ,plus carefully define your initial scope so you can start with a small target (like a company name) and systematically uncover more details (like employee habits).
Focus Areas
There are two main areas of focus:
Business : Gather non-technical details like stakeholders, assets, products, services, employees, etc.
Infrastructure : technical aspects like IPs, domains, systems.
We will let the network for part 2, but now we will talk about business.
About business, our top priorities are:
1- Web Presence:
What are the primary domains associated with the organization’s online presence?
Are there any subdomains or affiliated websites linked to the main domain?
⇒ A small search by trade name “Example Inc.” or just its name will answer this question.
2- Leadership Team:
Who are the key members of the organization’s leadership team?
What are the professional backgrounds and experiences of the leadership team members? Are they technical ??
⇒ Only two words: Linkedin | annual report.
2- Physical Locations:
Can we know the physical offices or locations of the organization?
How many branches? And in which regions are they located? Which one is the most secure (should contain the important data)?
=> You can find those answers on their website ”About Us’’ section, or in their LinkedIn profile.
3- Employees:
Profiling employees is very important, as much as you can get from their information, their weak points, and their ignorance. How many employees does the organization have?, and what is their job role?
=> Linked in is your bestfriend !
4- Contact Information:
What are the various ways to get in touch with the organization, including physical address, phone number, and email?
Is there a preferred method of contact for specific inquiries or departments?
5- Training and Development Programs:
What information is available about the training and development programs offered by the organization?
6- Governance Structure:
what is the organizational structure, including the board of directors?
How often is the governance structure reviewed or updated?
7- Harvesting:
What types of documents are publicly available that provide insights into the organization’s operations and policies?
How frequently are these documents updated or released?
⇒ In this section, we care about company docs that detail the company structure, DB files, diagrams, documentations, spreadsheets, and company oremployee accounts/e-mails on all social platforms.
⇒ Note: All that can help, especially in metadata analysis like who created, when, and software that was built with
=> FOCA and theharvester, may be useful in this phase.
8- Financial Information Partnerships and Collaborations:
Where can one obtain detailed information about the organization’s financial standing and performance? Can you identify key business mergers, acquisitions, and partnerships within the organization?
=> Our dear Crunchbase and Inc.com will handle those Q’s (companies, people, investors, and financial info).
9- Job Postings (My Fav)
What job opportunities are currently available within the organization?
Are they looking for a system administrator, network engineer, etc.? All that could be a weak point if we know how to use it.
=> Notice that You can identify which technology they have just from their job posts (requirements part).
⇒ Linkedin, indeed, Glassdoor, Monster, CareerBuilder, Simplyhired, and career pages on their websites.
Note: There are a huge amount of resources and tools in this area, and all that is just 0.1% of knowledge, so you’re going to need to keep practicing and searching.
Here is Some GitHub Repos & tools That Can help you in your investigation in this phase:
1- Awesome-osint : A curated list of amazingly awesome open source intelligence tools and resources.
2- linkedin2username : Generate username lists from companies on LinkedIn.
3- Buster : Uses hunter.io to get information from company emails .
-> Until we meet again, Happy H4cking :)
