Disclaimer: Ethical Hacking should be always performed on services that provide permissions on doing so, otherwise it cause legal issues and cost you. Generally, ethical hacking is performed to find vulnerabilities of a service by its owner or an authorized party.
To perform ethical hacking on a service that welcomes it, the first step is to gather information about the service. In particular, passive reconnaissance is the process of information gathering about a target service such as a web application. This could include personal or social information such as
- textual data: name, email, phone number, and job information
- image data: computer and desk at the office/home (could leak applications/tools used by a target person)
or location information (mostly physical).
Following are some tools that can be used on Kali Linux for passive reconnaissance.
- theHarvester (built-in to Kali)
For a given domain, it searches information on sources such as google, twitter and yahoo
Command: theHarvster -d <domain> -b <source>
For a given domain (e.g., example.com) this tool finds subdomain (e.g., sub.example.com) information. It can be installed by command apt install sublist3r. Additionally, this is another online tool that can be used to perform similar information gathering.
Command: sublist3r -d <domain>
- Wappalyzer (Browser add-on)
This tool provides meta information about the implementation of a web application such as version numbers, frameworks used, programming language used, content management used, etc.
- Google Search
It is possible to perform effective search on Google by using specific keywords such as to find for particular type of files at a website you can use
site:<domain> filetype: <file type e.g., pdf, docx, etc>