# How to Start

## Tools

| Name | Purpose |

| :--- | :--- |

| Googler | Search links and therewith domain names from your targets environment |

| HTTrack | Download a website for local reconnaissance |

## Search on Google

Open Googler and search for the target´s name to find its websites. Note down all domain names you find and allocate its main website \(normally the one with the most occurances\).

**Command:** `googler -n 100 --np <target name> | grep http*`

Now use the main website´s domain and search for sites with different TLDs \(TLD Expansion\). exclude the main domain as this is already known and will only fill the results.

**Command:** `googler -n 100 --np "site:www.<domain>.* -site:<main domain>" | grep http*`

As our last step with Googler, we will search for hosts in all domins we found so far.

**Command:** `googler -n 100 --np "site:*.<domain> -site:wwww.<domain>" | grep http*`

## Offline Website Review

Next we should download at least the main website \(and other interesting ones\) and review it locally. This is more anonymous as you only need to contact the target website once.

Change directory to one that will hold the downloaded files

`cd <path to directory>`

Download website with HTTrack

**Command:** `httrack <website url> --mirror`

Alternative Commands to clone a website:

**Command to clone a webpage:** `wget -r -np <url here>`

**Command to clone a website:** `wget -r -nH <url here>`

Now open the website in a browser and go throught it. Note everything that could be of interst for later stages:

**Company Intelligence**

| Information | Can be used for... |

| :--- | :--- |

| Locations and Addresses | General understanding of a companys geographical layout. Targets for physical engagements. |

| Phone Numbers Ranges | War Dialing |

| Business Areas | General understanding of a companys business and to identify business processes. |

| Products / Portfolio | Targets for exfiltration \(digital assets\) or for Social Engineering |

| Organigram | Knowledge about a companys personal structure and allocate VIPs as targets for Social Engineering |

| Employees and contact information | Targets for Social Engineering |

| Technologies \(Systems / Software\) | Allocating vulnerabilities and weak points to attack during _Gaining Access_ and _Maintaining Access_ phase. |

| \(Security-\) Policies | Get an understanding of a companys security posture and find weak spots tu utilize during _Gaining Access_ and _Maintaining Access_ phase. |

| Events | Physical engagements and Social Engineering |

**Personal Information**

| Information | Can be used for... |

| :--- | :--- |

| Names and Contact information | Social Engineering |

| Usernames and Passwords | _Gaining Access_ phase. |

| Family and Pents | Social Engineering |

| Interests and Hobby | Social Engineering |

**Network Information**

| Information | Can be used for... |

| :--- | :--- |

| Domain- and Hostnames | Targets for _Scanning and Enumeration_ phase. Attack Surface during _Gaining Access_ phase. |

| IP-Blocks and -Addresses | Targets for _Scanning and Enumeration_ phase. Attack Surface during _Gaining Access_ phase. |

| Routing Information | Communication Paths through the target network and allocating network devices for _Scanning and Enumeration_ and _Gaining Access_ phase. |

| System Types \(Routers, Firewalls,Servers,...\) | Target information for _Gaining Access_ phase. |

| Remote Access Services | Targets for _Scanning and Enumeration_ phase. Attack Surface during _Gaining Access_ phase. |

**System Information**

| Information | Can be used for... |

| :--- | :--- |

| Operating System and Patch Versions | Identification of target environment. Detection of vulnerabilities and exploits during _Gaining Access_ and _Maintaining Access_ phases. |

| Ports and Services | Targets for _Scanning and Enumeration_ phase. Detection of vulnerabilities and exploits during _Gaining Access_ and _Maintaining Access_ phases. |

| Applications and Software Versions | Targets for _Scanning and Enumeration_ phase. Detection of vulnerabilities and exploits during _Gaining Access_ and _Maintaining Access_ phases. |

| Authentication Mechanisms | Detection of vulnerabilities and exploits during _Gaining Access_ and _Maintaining Access_ phases. |

| Access Control Lists \(ACL\) | Detection of vulnerabilities and exploits during Gaining Access and Maintaining Access phases. |

| Encryption \(Types and Algorithms\) | Detection of vulnerabilities and exploits during _Gaining Access and Maintaining Access_ phases. |

Get a list of IP Networks

Go to RIPE Database and use the company name in the FULL TEXT Search (https://apps.db.ripe.net/db-web-ui/\#/fulltextsearch\)