Cookie's Red Team Recipe
  • Mixing...
  • General
    • Transferring Files
      • Serving Your Files
      • Transferring Files To Linux
      • Transferring Files To Windows
    • File Types
      • .vhd
    • Password Cracking
      • Hashcat
        • Wordlists
        • Wordlist + Rules
        • Masks
        • Mask Files
        • Combinator
        • Hybrid
        • Keyboard Walks
    • Trash to sift through
      • Cookie 3.1.24.ctd
    • Tools
      • Nuclei
      • GoWitness
    • Reflective DLL Injection
    • Configuration
      • Terminal Logging
      • Tmux Config
  • Cloud
    • General
      • Enumeration
        • JWT
        • SEC 588
        • Tools and Procedures
      • Containers
        • Docker
        • Kubernetes
    • Azure
      • General
      • Discovery
        • Mapping URLS
        • Snaffpoint
      • Initial Access
        • Password Spray
        • Illicit Consent Grant
        • App Service Abuse
          • Insecure File Upload
          • SSTI
          • OS Command Injection
        • Blob Storage
        • Evilginx3
      • Enumeration
        • MG Module
        • Az PowerShell
        • Azure CLI
        • Tokens
        • ROADTools
        • StormSpotter
        • AzureHound
      • Privilege Escalation
        • Automation Account
        • Managed Identity Command Execution
        • Key Vault
        • ARM Templates
        • Function App
      • Lateral Movement
        • Custom Script Extension
        • User Data
        • Pass The PRT
        • Endpoint Manager
        • Dynamic Groups
        • Application Proxy
        • Password Hash Sync
        • Storage Accounts
      • Persistance
        • Pass-Through Authentication
        • Seamless SSO
        • Federation
    • AWS
      • Discovery
        • Mapping URLs
        • Authentication
        • Username Harvesting
        • Password Spraying
        • Storage
        • Pacu
      • Enumeration
        • Scanning
        • Copy of Pacu
      • Privilege Escalation
        • Instance Metadata Service
        • Copy of Pacu
      • Lateral Movement
        • Userdata
        • Pacu
        • Callbacks and Shells
      • KMS
      • CI/CD
        • Deployment Pipeline
        • SSRF
        • Lambda
    • GCP
  • OSINT
    • Checklist
    • Tools
  • Web Applications
    • Checklist
    • Web Vulnerabilities
      • SSRF (Server Side Request Forgery)
      • Blind Data Exfiltration via DNS
      • XSS
      • XXE
      • XPath Injection
    • APIs
      • Web API Indicators
      • Passive Reconnaissance
      • Active API Reconnaissance
    • Enumeration
  • Exploitation
  • Active Directory
    • Reconnaissance
      • PowerView
      • SharpView
      • ADSearch
    • Cobalt Strike
      • User Impersonation
        • Pass the Hash
        • Pass the Ticket
        • Overpass the Hash
        • Token Impersonation
        • Token Store
        • Make Token
        • Process Injection
      • Lateral Movement
        • Windows Remote Management
        • PsExec
        • Windows Management Instrumentation (WMI)
        • CoInitializeSecurity
        • DCOM
      • Kerberos
        • Kerberoasting
        • ASREP Roasting
        • Unconstrained Delegation
        • Constrained Delegation
        • Alternate Service Name
        • S4U2Self Abuse
        • Resource-Based Constrained Delegation
        • Shadow Credentials
        • Kerberos Relay Attacks
      • Pivoting
        • SOCKS Proxies
        • Linux Tools For Proxies
        • Windows Tools For Proxies
        • Pivoting with Kerberos
        • Pivoting A Browser
        • Reverse Port Forwards
        • NTLM Relaying
        • Relaying WebDAV
      • AD Certificate Services
        • Find Certificate Authorities
        • Misconfigured Certificate Templates
        • NTLM Relaying to ADCS HTTP Endpoints
        • User & Computer Persistence
      • Group Policy
        • Modify Existing GPO
        • Create & Link a GPO
      • MS SQL Servers
        • MS SQL Impersonation
        • MS SQL Command Execution
        • MS SQL Lateral Movement
        • MS SQL Privilege Escalation
      • Configuration Manager
        • Enumeration
        • Network Access Account Credentials
        • Lateral Movement
      • Domain Dominance
        • Silver Tickets
        • Golden Ticket
        • Diamond Tickets
        • Forged Certificates
      • Forest & Domain Trusts
        • Parent/Child
        • One-Way Inbound
        • One-Way Outbound
      • LAPS (Local Administrator Password Solution)
        • Reading ms-Mcs-AdmPwd
        • Password Expiration Protection
        • LAPS Backdoors
  • Escalation
    • Host Reconnaissance
    • Windows
    • Linux
  • Report
    • Templates
  • Phishing
    • Techniques
      • Jscript
      • Word Document
        • Manual
        • Generated
      • HTML Smuggling
    • GoPhish
  • C2
    • Cobalt Strike
      • Starting
        • Profile
        • Artifact Kit Changes
        • Resource Kit Changes
        • Start CS as a Service
        • Manual AMSI Bypass
        • Set Anti-Behavioural Detections
        • Generating Payloads
        • Listener Management
        • Prepare For Command Line Detections
      • Tools
        • Application Whitelisting
          • Policy Enumeration
          • Writeable Paths
          • Binaries, Scripts, and Libraries
          • PowerShell CLM
          • Beacon DLL
        • Credentials
          • Credential Manager
          • Scheduled Task Credentials
        • Session Passing
          • Beacon Passing
          • Foreign Listener
          • Spawn & Inject
        • DCSync
        • Extracting Kerberos Tickets
        • Mimikatz
          • NTLM Hashes
          • Kerberos Encryption Keys
          • Security Account Manager
          • Domain Cached Credentials
        • Take Screenshot
        • Evading Windows Defender
          • Artifact Kit
          • Malleable C2
          • Resource Kit
          • AMSI vs Post-Exploitation
          • Manual AMSI Bypasses
          • Behavioural Detections
          • Parent/Child Relationships
          • Command Line Detections
        • Pivot Listeners
    • Sliver
      • Post-Exploitation
        • Proxy
    • Brute Ratel
    • Mythic
  • Domains
  • Infrastructure
    • Web Categorisation
Powered by GitBook
On this page
  • Dig
  • Whois
  • Cloud
  • Email Security
  • Google Dorking
  • Social Media
  1. OSINT

Tools

Dig

Domain Name System (DNS) records can provide a wealth of information regarding services that may be exposed to the Internet, but here there be dragons.

The "target" we're going to attack in the lab is an organisation called Cyberbotic. Their domain name is cyberbotic.io. We can start off by performing a simple lookup of any A records for this domain.

$ dig cyberbotic.io

;; QUESTION SECTION:
;cyberbotic.io.                 IN      A

;; ANSWER SECTION:
cyberbotic.io.          0       IN      A       172.67.205.143
cyberbotic.io.          0       IN      A       104.21.90.222

Whois

Performing a whois on each public IP address can show who it belongs to. We can see that it resolves to a 3rd party provider, Cloudflare.

$ whois 172.67.205.143

OrgName:        Cloudflare, Inc.
OrgId:          CLOUD14
Address:        101 Townsend Street
City:           San Francisco
StateProv:      CA
PostalCode:     94107
Country:        US
RegDate:        2010-07-09
Updated:        2021-01-11
Ref:            https://rdap.arin.net/registry/entity/CLOUD14

Cloud

Some Software as a Service (SaaS) offerings require DNS records on the target domain, in order to point towards those services. A notable example includes Microsoft's Office 365 which can be found at autodiscover.target-domain. If the target uses these SaaS services for email and/or document storage etc, it may be possible to gain access to your objective without ever needing to compromise their network.

DNScan

/dnscan$ ./dnscan.py -d cyberbotic.io -w subdomains-100.txt
[*] Processing domain cyberbotic.io
[*] Using system resolvers: 172.19.80.1
[+] Getting nameservers
172.64.32.56 - adi.ns.cloudflare.com
173.245.58.56 - adi.ns.cloudflare.com
108.162.192.56 - adi.ns.cloudflare.com
cyberbotic.io
172.64.33.220 - pablo.ns.cloudflare.com
173.245.59.220 - pablo.ns.cloudflare.com
108.162.193.220 - pablo.ns.cloudflare.com
cyberbotic.io
[-] Zone transfer failed

[+] IPv6 (AAAA) records found. Try running dnscan with the -6 option.
2606:4700:3037::ac43:cd8f

2606:4700:3033::6815:5ade

[-] DNSSEC not supported

[+] MX records found, added to target list
10 mail.cyberbotic.io.

[*] Scanning cyberbotic.io for A records
172.67.205.143 - cyberbotic.io
104.21.90.222 - cyberbotic.io
172.67.205.143 - www.cyberbotic.io
104.21.90.222 - www.cyberbotic.io
10.10.15.100 - mail.cyberbotic.io

Email Security

~/Spoofy$ pip3 install -r requirements.txt
~/Spoofy$ python3 spoofy.py -d cyberbotic.io -o stdout
[*] Domain: cyberbotic.io
[*] Is subdomain: False
[*] DNS Server: 1.1.1.1
[?] No SPF record found.
[?] No DMARC record found.
[+] Spoofing possible for cyberbotic.io

Google Dorking

site: Limit the search results to those from a specific website. site:apple.com

Not so useful by itself but will return every page that Google has indexed for the apple.com domain.

intitle: Find pages with a certain word in the title. intitle:apple

This will return every page that contains the word "apple" in the title.

inurl: Find pages with a certain word in the URL. inurl:apple

This will return every page where "apple" appears in the URL.

intext: Find pages containing a certain word (or words) somewhere in the content. intext:apple

This will return every page where "apple" appears in the body text.

filetype: Search for filetypes that Google understands. site:apple.com filetype:pdf

This will return all PDFs on apple.com. Other filetypes such as docx, pptx and xlsx also work. This could be combined with intitle:report to find all PDFs that have "report" in the name. Google does not understand all filetypes, so inurl could be used instead.

#..#: Search for a range of numbers. site:apple.com filetype:pdf 2020..2022

This will return all PDFs on apple.com which contain the numbers 2020, 2021 and 2022. Useful for finding information constrained to a given timeframe.

-: Exclude a phrase. site:apple.com -www -support

This will return pages indexed on apple.com excluding the www and support domains. Useful for finding other subdomains.

These dorks can be used to find interesting files, web applications and information.

Social Media

Many people also cross-link their social media profiles, so you can find their Twitter/Facebook/Instagram/etc accounts as well. Phishing is still the most prevalent method of compromising a target and gathering both professional and personal information on targets goes a long way to making those pre-texts convincing and enticing.

PreviousChecklistNextChecklist

Last updated 1 day ago

When we browse to , we are actually being sent to Cloudflare, which proxies the traffic between us and a back-end webserver. The issue being that we don't know if the web server is hosted on premise of the target organisation, or in another 3rd party cloud service. This information you must confirm with the client - providers such as and have specific rules and/or require explicit permission before you are able to carry out any security assessments hosted on, or performed from, their infrastructure. You may also come across IP addresses that belong to Internet Service Providers (ISPs), as some organisations rent their public address space.

Subdomains can also provide insight to other publicly available services, which could include webmail, remote access solutions such as Citrix, or a VPN. Tools such as come with lists of popular subdomains.

Weak email security (SPF, DMARC and DKIM) may allow us to spoof emails to appear as though they’re coming from their own domain. is a Python tool that can verify the email security of a given domain.

Google "dorking" is a fancy way of using Google's advanced search operators to find very targeted information. The contains hundreds of examples, but I'll cover some basic uses here.

Social Media platforms such as LinkedIn, Facebook and Twitter can be a goldmine of information. LinkedIn is especially abundant because it allows (and encourages) people to post information about their skills and experiences. For example, we can go to the Apple or Google dork to find their employees, and from there drill down into their profiles. This is useful for getting insight into the possible technology stacks and business processes being used.

You can also find automated scraping tools such as . However, in the case of LinkedIn, they often violate their user agreements, leading to your account being banned. If you have to use an account for scraping purposes, make sure it's a "burner".

Websites such as can be used to discover the email address of employees. If we enter apple.com, it tells us that the most common pattern for that domain is {f}{last}@apple.com. This means that we don't actually have to find everybody's email address explicitly, but simply guess based on this pattern. We could scrape a list of Apple employees from LinkedIn and transform their names into email address. For instance, Steve Jobs would become s.jobs@apple.com. They won't all be correct, but hopefully, a good proportion would be.

https://cyberbotic.io
Amazon
Azure
dnscan
Spoofy
Google Hacking Database
LinkedIn page
LinkedInt
hunter.io