search

Footprinting

hashtag
Domain Information

  • crt.sharrow-up-right: Certificate checking for subdomains

    • Command to get unique list of domains

      • curl -s https://crt.sh/?q=inlanefreight.com&output=json | jq . | grep name | cut -d":" -f2 | grep -v "CN=" | cut -d'"' -f2 | awk '{gsub(/\n/,"\n");}1;' | sort -u

    • Find internet accessible hosts (and not third party ones as we may not have permissions):

      • for i in $(cat subdomainlist);do host $i | grep "has address" | grep inlanefreight.com | cut -d" " -f1,4;done

    • Shodan arrow-up-rightall the IPs:

      • for i in $(cat ip-addresses.txt);do shodan host $i;done

  • Check SSL certs

  • DNS Records:

    • dig any <domain>

    • Potential information about services used like gmail, mailgun, logmein, ...

hashtag
Cloud Resources

Good start on S3 buckets (AWS), blobs (Azure), cloud storage (GCP), R2 Buckets (Cloudflare), ...

Domain.glassarrow-up-right can give good info from the domain name like if Cloudflare is present

https://buckets.grayhatwarfare.com/arrow-up-right for buckets information. Try looking for id_rsa

PreviousFirewall and IDS/IPS EvasionNextGoogle Dorks

Last updated