We (HTB) have addressed the why and what of external reconnaissance; let's dive into the where and how.

Hunting For Files

filetype:pdf inurl:inlanefreight.com

intext:"@inlanefreight.com" inurl:inlanefreight.com

Username Harvesting

We can use a tool such as linkedin2username to scrape data from a company's LinkedIn page and create various mashups of usernames (flast, first.last, f.last, etc.) that can be added to our list of potential password spraying targets.

Credential Hunting

Dehashed is an excellent tool for hunting for cleartext credentials and password hashes in breach data. We can search either on the site or using a script that performs queries via the API.

sudo python3 dehashed.py -q inlanefreight.local -p