Footprinting
Domain Information
Command to get unique list of domains
curl -s https://crt.sh/?q=inlanefreight.com&output=json | jq . | grep name | cut -d":" -f2 | grep -v "CN=" | cut -d'"' -f2 | awk '{gsub(/\n/,"\n");}1;' | sort -u
Find internet accessible hosts (and not third party ones as we may not have permissions):
for i in $(cat subdomainlist);do host $i | grep "has address" | grep inlanefreight.com | cut -d" " -f1,4;done
for i in $(cat ip-addresses.txt);do shodan host $i;done
Check SSL certs
DNS Records:
dig any <domain>
Potential information about services used like gmail, mailgun, logmein, ...
Cloud Resources
Good start on S3 buckets (AWS), blobs (Azure), cloud storage (GCP), R2 Buckets (Cloudflare), ...
Last updated