# Footprinting

## Domain Information

* [crt.sh](https://crt.sh): Certificate checking for subdomains
  * Command to get unique list of domains
    * `curl -s https://crt.sh/?q=inlanefreight.com&output=json | jq . | grep name | cut -d":" -f2 | grep -v "CN=" | cut -d'"' -f2 | awk '{gsub(/\n/,"\n");}1;' | sort -u`
  * Find internet accessible hosts (and not third party ones as we may not have permissions):
    * `for i in $(cat subdomainlist);do host $i | grep "has address" | grep inlanefreight.com | cut -d" " -f1,4;done`
  * [Shodan ](https://www.shodan.io/)all the IPs:
    * `for i in $(cat ip-addresses.txt);do shodan host $i;done`
* Check SSL certs
* DNS Records:
  * `dig any <domain>`
  * Potential information about services used like gmail, mailgun, logmein, ...

## Cloud Resources

Good start on S3 buckets (AWS), blobs (Azure), cloud storage (GCP), R2 Buckets (Cloudflare), ...

[Domain.glass](https://domain.glass/) can give good info from the domain name like if Cloudflare is present

<https://buckets.grayhatwarfare.com/> for buckets information. Try looking for `id_rsa`