Search Technical Information

• Netcraft  – Technical information on a domain (OS, webserver, IP)
• Netcraft: Search DNS |
• DNS Stuff – 3 categories: DNS Report, WHOIS Lookup, IP Information
• Wigle – Map of Wifi networks
• Shodan – search engine for Internet-connected devices
• Find real IP when website is using Cloudflare: http://www.crimeflare.org:82/cfs.html
• Codata – Index of internet public code (e.g. Github, Stackoverflow)
• Wayback Machine – Archived version of websites
• RocketReach – Email address format
• Security Trails – DNS records, list of subdomains
• OSINT-Discord-resources
• SwaggerHub – Search APIs
• WordPress Theme Detector
• OWASP Amass

Whois

Whois – Website Whois Search, Registered information in public databases, Get DNS servers (Name Servers), email of the admin, Get names, physical addresses, phone numbers, email addresses, ip addresses, dns server names

whois $DOMAIN

Reverse lookup

whois $IP

Subdomains

Use crt.sh (subdomains from certificates), sublist3r, GHDB.

dnspop list of subdomains: https://github.com/bitquark/dnspop/tree/master/results

Enumerate subdomains

NOTE: This interacts with the target when downloading the index page.

DOMAIN=x
wget -O index.html http://www.$DOMAIN
# This regex might need tweaking
grep -o 'href=.*http.*"' index.html | grep $DOMAIN | cut -d "/" -f 3 | sort -u

grep -o '[^/]*\.domain\.com' index.html | sort -u