Intelligence Gathering

Domain Intelligence

Gather detailed information about domains, their registration, and associated infrastructure.

WHOIS Lookup (whois)

Retrieves WHOIS or RDAP information for specified domains, including registration details, ownership information, and expiration dates.

• Registration Details: Domain registrar, creation and expiration dates
• Ownership Information: Registrant name, organization, and contact details
• Name Servers: DNS infrastructure information
• Contact Points: Administrative and technical contact information

Example Prompts:

Find domain registration details for hackergpt.app

Who owns example.com?

When does target-domain.com expire?

WHOIS lookup for suspicious-site.net

Subdomain Discovery

Uncover hidden and forgotten infrastructure by enumerating subdomains associated with a target domain.

Subdomain Enumeration (subfinder)

Advanced subdomain discovery tool that identifies potential attack surfaces and hidden infrastructure.

• Passive Enumeration: Discovers subdomains without direct interaction
• Multiple Sources: Aggregates data from various sources for comprehensive results
• Hidden Infrastructure: Finds development, staging, and forgotten subdomains
• Attack Surface Mapping: Identifies additional entry points for testing

Example Prompts:

Find subdomains for wikipedia.org

Enumerate subdomains of target-company.com

What subdomains exist for example.com?

Discover all subdomains for hackergpt.app

IP & Geolocation Intelligence

Map domains to IP addresses and determine the physical location of infrastructure.

Domain to IP Resolution (get_domain_ip)

Retrieves the IP address mapped to a specific domain, useful for infrastructure mapping.

• Resolves domain names to their corresponding IP addresses
• Identifies shared hosting environments
• Supports further IP-based analysis

Example Prompts:

What is the IP address of hackergpt.app?

Get IP for example.com

Resolve the IP of target-domain.com

Geo IP Location (get_ip_geolocation)

Fetches geolocation information for a specified IP address, providing geopolitical context for targeted infrastructure.

• City & Region: Precise location information
• Country: Nation where the server is hosted
• Coordinates: Latitude and longitude for mapping
• ISP Information: Internet service provider details

Example Prompts:

Find geo location of hackergpt.app

Where is the server for example.com located?

Get geolocation for IP 8.8.8.8

What country hosts target-site.com?

Dark Web Intelligence

Monitor the dark web for mentions of target domains and analyze onion sites for threat intelligence.

Dark Web Search (run_darkdump)

Searches the dark web for mentions of keywords or domains and returns relevant results for threat intelligence gathering.

• Domain Monitoring: Find mentions of your organization on the dark web
• Data Breach Discovery: Identify potential exposure risks
• Threat Intelligence: Gather information about emerging threats
• Sentiment Analysis: Evaluate the context and tone of mentions

Results Include:

• URL and title of discovered pages
• Content description and metadata
• Sentiment analysis (polarity & subjectivity)
• Document links count and extracted emails

Example Prompts:

Search Dark Web for HackerGPT

Search Dark Web for Ferdinand Data Breach

Find dark web mentions of my-company.com

Check if target-organization is mentioned on the dark web

Onion Link Analysis (analyze_onion_links)

Scrapes and analyzes onion links directly using the Tor proxy, so you don't have to access them directly yourself.

• Content Extraction: Retrieves site content safely
• Metadata Analysis: Extracts relevant site metadata
• Safe Browsing: Analyzes .onion sites without direct access
• Insights: Provides analysis of the site's purpose and content

Example Prompts:

analyze http://exampleonion.onion

What content is on this onion link?

Scrape and analyze the following .onion site

Web Fingerprinting

Identify the technology stack running on web applications for better-targeted assessments.

Web Application Fingerprinting (web_fingerprint)

Fingerprints web applications to discover server type, version, and other information about software running on the host.

• Server Identification: Detects web server software (Apache, Nginx, IIS)
• Version Detection: Identifies software versions for vulnerability correlation
• Technology Stack: Discovers frameworks, CMS, and libraries in use
• Service Discovery: Run this first for comprehensive reconnaissance

Example Prompts:

Check juice-shop.hackergpt.app

Fingerprint the web application at example.com

What technology stack does target-site.com use?

Common Workflows

Combine intelligence gathering tools for comprehensive reconnaissance.

Complete Domain Investigation

Find domain registration details for target.com

Find subdomains for target.com

Find geo location of target.com

Infrastructure Mapping

What is the IP address of target.com?

Get geolocation for the resolved IP

Threat Intelligence Gathering

Search Dark Web for my-organization

Check if our domain appears in any dark web mentions

Full Reconnaissance Workflow

Fingerprint web application at target.com

Find all subdomains

Get WHOIS information

Perform service discovery scan

Best Practices

• Always get authorization: Only perform reconnaissance on systems you have permission to investigate.
• Start passive: Begin with non-intrusive tools like WHOIS and subdomain enumeration.
• Document findings: Keep records of discovered infrastructure for thorough assessments.
• Correlate data: Combine findings from multiple tools for a complete picture.
• Monitor regularly: Dark web mentions can indicate emerging threats or data breaches.