![](https://blog.stevesec.com/wp-content/uploads/2024/05/FLn_JQgXMAAnl-S.jpg)
Identifying and Surveying the Target
- Check for Autonomous System Numbers (ASNs) to see what IP addresses are accessible on a network.
- Use LinkedIn to identify software that might be used within the organization.
- .Joe Schmo from IT might know the web stack (i.e., HTML, CSS, JavaScript, PHP) and talk about what projects they are currently working on.
- .Jane Doe might know how to use certain human resource (HR) technology and collect resumes.
- Use ZoomInfo (if able to get an account) as this will provide a hierarchy of the organization.
- Use OSINT Framework for additional needs.
- Use certain websites such as TruePeopleSearch and ThatsThem to identify specific targets within the organization.
- This will divulge information about the target such as home addresses, phone numbers, email addresses, and known associates.
- Use Shodan and Censys to identify hosts that contain known vulnerabilities based on hostnames.
- Use Shodan filters to check hosts owned by the target (i.e., hostname:tesla.com)
- Use Censysi filters the same way as Shodan (i.e., hosts:tesla.com)
- Use the Wayback Machine to identify any interesting directories that might be archived.
- Check mobile application reviews on Google Play Store and Apple Store.
- Reviews might show bugs and bug fixes.
- Check DNS Dumpster to identify any interesting subdomains and hosts.
- One vulnerability that might be interesting to some is a subdomain takeover.
- Once identified, use Wappalyzer to check for the underlying technology stack and use GitHub to identify those technologies used.
- Utilize WiGLE to search for wireless networks on or near the target.
- Public Facebook profiles, Twitter profiles, or Instagram profiles may contain vital information about the organization (i.e., badges, holiday photos, etc.)