Technical Information

Some tools and techniques are:

1) Google

A lot of interesting things can be found with a few well-chosen search queries. For example, the identity of DPR [1]. The bible of Google hacking is the book "Google Hacking for Penetration Testers". You can find a short summary in Spanish at [2].

2) Subdomain Enumeration

Often, a company's main website is hosted by a third party, and you'll find the company's actual IP range thanks to subdomains like mx.company.com or ns1.company.com. Also, sometimes there are things that shouldn't be exposed in "hidden" subdomains. Useful tools for discovering domains and subdomains are fierce [3], theHarvester [4], and recon-ng [5].

3) Whois lookups and reverse lookups

With a reverse lookup using the whois information from a domain or IP range of a company, you can find other domains and IP ranges. As far as I know, there's no free way to do reverse lookups aside from a google "hack":

"via della moscova 13" site:www.findip-address.com "via della moscova 13" site:domaintools.com

4) Port scanning and fingerprinting

Unlike the other techniques, this talks to the company's servers. I include it in this section because it's not an attack, it's just information gathering. The company's IDS might generate an alert, but you don't have to worry since the whole internet is being scanned constantly.

For scanning, nmap [6] is precise, and can fingerprint the majority of services discovered. For companies with very large IP ranges, zmap [7] or masscan [8] are fast. WhatWeb [9] or BlindElephant [10] can fingerprint web sites.

[1] http://www.nytimes.com/2015/12/27/business/dealbook/the-unsung-tax-agent-who-put-a-face-on-the-silk-road.html [2] http://web.archive.org/web/20140610083726/http://www.soulblack.com.ar/repo/papers/hackeando_con_google.pdf [3] http://ha.ckers.org/fierce/ [4] https://github.com/laramies/theHarvester [5] https://bitbucket.org/LaNMaSteR53/recon-ng [6] https://nmap.org/ [7] https://zmap.io/ [8] https://github.com/robertdavidgraham/masscan [9] http://www.morningstarsecurity.com/research/whatweb [10] http://blindelephant.sourceforge.net/