Gathering information about an organization is imperative whether one is interested in joining the organization or simply evaluating one’s organization to see what information is out there. The use of public records to garner the required information about an organization is a simple and readily available method. There are a variety of ways to tackle the process. However, this article will focus on network targets and how to gather personal’s data; the former will touch on IP addresses, systems and domains while the latter will delve into job titles, email addresses and personal data. The following are steps that can be followed when one wants to gather information for an organization from public records.
It may be difficult to find an organization down online, but once you have the name of the organization and at least one domain they use for their daily activities, things get better. The name and domain will provide information on company background through the Full Contact marketing database. Once you are able to establish a domain, other domains and subdomains can be discovered through reverse whois API. The reverse whois API runs the company names and other key data against its records and provides additional domains. Subdomain discovery can also be made through tools such as Aquatone and Sublist3r. After gathering a list of domains and, subdomains one can narrow them down to an IP address using Python sockets.
Discovering the contacts of the domains and subdomains discovered during network mapping is important for one to gather information for an organization from public records. Using such engines to look contact information about the domains and subdomains is a good place to start. The use of Email Hunter’s API can help track down email addresses, and the email addresses can provide more data on the company and more details can be found using the a reverse WHOIS API. An excellent place to look for a person who wants to gather information for public records is from social media profiles. Use of LinkedIn and Twitter handles can yield a lot of valuable information about an organization. However, it is essential for one to be careful about the information provided on social media as it can easily be fabricated.
Most data is stored in the cloud and what better place to look then? Going through files below an organization’s domain can unravel things such as office document and PDFs from years back. Using searches like (site:company.com.filetype:pdf) can retrieve the files providing the desired information on the organization. Retrieving documents not meant for the public has been made easier using tools such as Amazon S3 buckets and Digital Ocean’s tool called Space.
The whole process of gathering information about an organization using public records can be tedious and may require one to use a lot of time and resources. Therefore automation of the process will make the process less demanding and more efficient. Tools like Recon-ng and Discovery Scripts help in automation of the process. Having intelligence on the kind of data that is out there in public records about an organization can assist it to arm itself against attackers and protect itself better.