Search Technical Information

Netcraft – Technical information on a domain (OS, webserver, IP)
Netcraft: Search DNS |
DNS Stuff – 3 categories: DNS Report, WHOIS Lookup, IP Information
Wigle – Map of Wifi networks
Shodan – search engine for Internet-connected devices
Find real IP when website is using Cloudflare: http://www.crimeflare.org:82/cfs.html
Codata – Index of internet public code (e.g. Github, Stackoverflow)
Wayback Machine – Archived version of websites
RocketReach – Email address format
Security Trails – DNS records, list of subdomains
OSINT-Discord-resources
SwaggerHub – Search APIs
WordPress Theme Detector
OWASP Amass

Whois

Whois – Website Whois Search, Registered information in public databases, Get DNS servers (Name Servers), email of the admin, Get names, physical addresses, phone numbers, email addresses, ip addresses, dns server names

whois $DOMAIN

Reverse lookup

whois $IP

Subdomains

Use crt.sh (subdomains from certificates), sublist3r, GHDB.

dnspop list of subdomains: https://github.com/bitquark/dnspop/tree/master/results

Enumerate subdomains

This interacts with the target when downloading the index page.

DOMAIN=x
wget -O index.html http://www.$DOMAIN
# This regex might need tweaking
grep -o 'href=.*http.*"' index.html | grep $DOMAIN | cut -d "/" -f 3 | sort -u

grep -o '[^/]*\.domain\.com' index.html | sort -u