- DNS lookups
- Identify technical contacts
- Administrator contacts
- Cloud vs. self-hosted
- Social media scraping
- Key contacts/job responsibilities
- Job listing/technology stack
- Cryptographic flaws
- Secure Sockets Layer (SSL) certificates
- Revocation
- Company reputation/security posture
- Data
- Password dumps
- File metadata
- Strategic search engine analysis/enumeration
- Website archive/caching
- Public source-code repositories
- Open-source intelligence (OSINT)
- Tools
- Shodan
- Recon-ng
- Sources
- Common weakness enumeration (CWE)
- Common vulnerabilities and exposures (CVE)
- Tools
- Enumeration
- Hosts
- Services
- Domains
- Users
- Uniform resource locators (URLs)
- Website reconnaissance
- Crawling websites
- Scraping websites
- Manual inspection of web links
- robots.txt
- Packet crafting
- Scapy
- Defense detection
- Load balancer detection
- Web application firewall (WAF) detection
- Antivirus
- Firewall
- Tokens
- Scoping
- Issuing
- Revocation
- Wardriving
- Network traffic
- Capture API requests and responses
- Sniffing
- Cloud asset discovery
- Third-party hosted services
- Detection avoidance
- Fingerprinting
- Operating systems (OSs)
- Networks
- Network devices
- Software
- Analyze output from:
- DNS lookups
- Crawling websites
- Network traffic
- Address Resolution Protocol (ARP) traffic
- Nmap scans
- Web logs
- Considerations of vulnerability scanning
- Time to run scans
- Protocols
- Network topology
- Bandwidth limitations
- Query throttling
- Fragile systems
- Non-traditional assets
- Scan identified targets for vulnerabilities
- Set scan settings to avoid detection
- Scanning methods
- Stealth scan
- Transmission Control Protocol (TCP) connect scan
- Credentialed vs. non-credentialed
- Nmap
- Nmap Scripting Engine (NSE) scripts
- Common options
- A
- sV
- sT
- Pn
- O
- sU
- sS
- T 1-5
- script=vuln
- p
- Vulnerability testing tools that facilitate automation