Passive Reconnaissance
Google Hacking
Google Hacking allows you to find juicy information, vulnerabilities, or misconfigured websites. Since it was introduced, a database of interesting searches has been compiled to enable security professionals to quickly identify numerous misconfigurations within a given domain - Google Hacking Database
Google search to find website sub-domains:
site:example.com
Google search for a filetype, and certain text in the site title:
intitle:"exam objectives" filetype:pdf
Google search to find certain text in the URL:
inurl:"/wp-content/uploads"
SSL Testing
SSL Labs
SSL Labs has a free online SSL testing service that performs a deep analysis of the configuration of any SSL web server on the public Internet. Test results provide detailed technical information and checks for any misconfiguration or vulnerabilities. SSL Server Test
Email Harvesting
theHarvester
A tool readily installed within Kali that allows you to gather email addresses from public sources.
theharvester -d example.com -l 500 -b google -f results_example
-d: Domain to search or company name.
-l: Limit the number of results to work with.
-b: Data source (google,bing,bingapi,pgp,linkedin,google-profiles,people123,jigsaw,all).
-f: Save the results into an HTML and XML file
For more information and capability for this tool, see: <a href="https://tools.kali.org/information-gathering/theharvester" target=_blank">theHarvester</a>
WHOIS
The WHOIS service allows you to search for basic information assigned to a domain name. Information available may include the contact information for the domain owner, domain availability status and the company with which the domain registrar. WHOIS
WHOIS also comes packaged within Kali, it is able to search on a domain name and do reverse lookups on an IP:
whois example.com
whois 93.184.216.34
Netcraft
Netcraft can be used to indirectly find out information about web servers on the Internet, including the underlying operating system, web server version, and uptime graphs. Netcraft