Obviously information gathering is vital in any internal/external pen-test and from the defense side. Looking for suggestions on what others on the defense or offensive side are doing to understand what kind of information is out there on the web for anyone to find.
Here are some of the activities I do (or am trying to get my place of business to start doing)
- Metadata analysis looking for usernames and other sensitive info from files on the web (tool - FOCA)
- Looking at developer comment areas in html, js, css ( some automated with scripts when looking for emails, phone numbers, user IDs, but this is also fairly manual at times)
- Looking at pastebin.com type websites for references to the business using advanced google operators
- Searching for the footer that goes out with company emails( "The views expressed in this email ......") - this actually returns a large number of results because people ask questions via email and in-turn get published on the net at some point usually for historical purposes
- Looking for company related information you would find in developer code like internal proxy servers, or company owned IPs, etc
- Seeing what Maltego has to say
Unfortunately I am kind of the new guy and I am not allocated time to do a lot of these things regularly, but I have suggested them and some gain traction if I can show that there are results worth paying attention to. Its easy from an attackers perspective to see how all of these can offer valuable information, but convincing management to allocate time on it is another story.
What other things are you all looking for?