🥷 Top sites for passive reconnaissance
Passive reconnaissance is a critical step for bug bounties or penetration testing engagements, get ready!
Passive reconnaissance is the process of collecting information in a covert manner about an intended target without the target knowing what is occurring.
Mainly is done searching information about the target on the Internet (Google, Linkedin, etc) and also searching for metadata (i.e. domain registers information, OSINT tools, etc).
https://hunter.io Email recon
https://www.netdb.io/ IOT search engine
https://securitytrails.com/dns-trails DNS subdomains recon
https://securityheaders.com/ HTTP headers recon
https://www.kitterman.com/spf/validate.html Validate SMTP SPF fields
https://www.fraudmarc.com/dmarc-check Validate SMTP SPF/DMARC policies
https://mxtoolbox.com/DMARC.aspx Validate SMTP SPF/DMARC policies
https://dmarcian.com/dmarc-inspector/ Validate SMTP DMARC policy
https://crt.sh Certificate Transparency Site
Another effective way to do passive recon is obviously through Google, actually there is a term for that: Google dorking or google dorks, you can read more about it below:
Did I miss some great tool? Please add it in the comments below :)