Useful Pentesting Links
Last updated : 25/07/2023
A list of useful URLs, for all steps and aspects of a Penetration Test.
This list will be updated as I discover more resources.
If you spot incorrect or broken URLs, or have ideas for additional resources I can add below, feel free to email jackcollins1434@yahoo.com. Thank you.
- Search Engines
- Reverse Image Searching
- EXIF Data
- Location Information
- Email Address Discovery
- Password OSINT
- Usernames & Accounts
- Specific People Search
- Phone Numbers
Search Engines
Every good OSINT / Reconnaissance has to start somewhere. Let’s start with the basics; search engine searches.
Don’t just use one, they all give different results and crawl in different ways to different areas of the web.
Don’t forget The Wayback Machine too; a fantastic resource for OSINT. You can find old, archived versions of sites from years ago. Maybe you’ll find some revealing information on an old version of a target’s website.
Reverse Image Searching
Informational searches don’t just come in the form of text. We should search via images also.
Technologies have gotton more advanced in recent years, so not only can we search for other sites that have the same image on (useful), but we can use tools like Pimeyes to do facial recognition searches across the web (super useful).
EXIF Data
Not always useful, but if we come across images that may well have EXIF data attached (an original non-processed photo uploaded to a company website, for example), we could extract that data and see if there’s anything useful there.
Maybe some coordinates for where it was taken could be revealed, or the make and model of a mobile phone the target/company uses.
Location Information
If our pentest includes some physical entry aspects, social engineering or perhaps we need to determine where we can pick up signals from a safe distance (e.g.; WiFi from outside of a building), then we need to scope out the area first.
We should do this in-person, but there are also plenty of online resources for us to view satellite imagery, rented/sold building information (possibly including layouts) and even VR experiences.
There’s also an app called ‘Wander’, available on the Oculus Quest store, which is also essentially Google Maps in VR.
We may also want to determine where a photograph was taken, or brush up on our skills to identify locations based on architecture, landmarks, tree species, etc.
Email Address Discovery
We’ll want to determine email addresses that the target company uses, either specific or at least the ‘pattern’ that they use (e.g.; firstname.lastname@company.co.uk)
We can then use this information to find additional data, work out possible login usernames, for social engineering and to present as part of a pentest report.
- Hunter.io
- Phonebook.cz
- VoilaNorbert.com
- SignalHire (extension for Chrome)
- Clearbit Connect (Chrome extension)
We should also verify email addresses using the following resources;
Lastly, test a Google Login to see if the email address is accepted.
You can also try pressing Reset a Password on Google Login, and ‘Try Something Else’. This may reveal other email addresses the target uses.
Password OSINT
They’ll be many occasions during a pentest that you’ll want to test passwords, e.g. Brute Forcing.
Don’t waste time doing Brute Force before checking online resources for possible password data breaches.
- Breach-Parse
- DeHashed
Hashes.org(likely deprecated)- SnusBase
- Leak Check
- The Breached Database Search Engine
- Have I Been Pwned?
scylla.sh/search(likely deprecated)weleakinfo.to(likely deprecated)
Don’t forget an online search for data breaches, in particular sites like Reddit and GitHub.
As you can see above, these change often, as they sometimes get shut down. Search about for further resources on a regular basis.
If you need to crack or obtain password hashes, here are also some useful links for that;
- NPK (a hash-cracking platform for AWS)
- PyPhisher (Social Engineering for getting passwords via fake pages)
Usernames & Accounts
Part of OSINT against a target is often identifying staff members and their open, available online data.
We might be able to discover the technologies a company is using via LinkedIn profiles, the location of buildings and infrastructure for Physcial Pentesting via images posted to Facebook or Instagram, and compile wordlists for password cracking based on a person’s interests.
We may even be able to get an image of an ID badge from a profile, giving us valuable data on how to replicate the look of a genuine staff member ourselves.
Specific People Search
Sometimes we’ll want to gather information about a specific person, whether as a pre-agreed part of a pentest (a CEO for a company, for example, might want to see what is available publically about them), or perhaps we have some information for a particular user within a company (e.g.; usernames, emails) but we need to gather further information about them to compile a wordlist for password cracking, etc.
- White Pages
- True People Search
- 192.com
- Fast People Search
- Fast Background Check
- WebMii
- Peek You
- 411.com
- Spokeo
- That’s Them
- Locate Family
Please note: this list is mainly UK specific.
Phone Numbers
As well as email addresses and usernames, phone numbers can also be used to track down further profiles and details about people and companies online, so we should try to find some during our other endevours and then use these resources to look up further information.
Also consider phone numbers potentially given away by ‘forgot password’ pages; Yahoo login, for example, may show partly obfuscated phone numbers or other email addresses associated with an account, when you go to the ‘forgot password’ page and input an email address.