Gathering Information

You can start with google.com to see what’s out there.

Search terms:

• tcm-sec.com
• "tcm-sec.com"
• site:tcm-sec.com
• site:tcm-sec.com heath
• site:tcm-sec.com heath -academy
• Check images if no sites/domains show up.

Gather as much information as you can about the target site.

• IP addresses
• Physical addresses
• Google tags/analytics
• Technology

Websites and online tools

Some of these sites can search using multiple types of data.

• builtwith.com
• centralops.net/co
• urlscan.io
• httpsdnslytics.com/reverse-ip
• spyonweb.com
  • URL, IP Address, pub-xxxxxxxxxx or UA-xxxxxxx
• virustotal.com
• reddit.com
  • reddit.com/domain/thecybermentor.com
• visualping.io
• backlinkwatch.com
  • You might find extra connections here.
• viewdns.info
• dnsdumpster.com
• hackertarget.com
• dnstools.ws
• isc.org/dns-tools
• iplocation.io/all-dns-records-of-domain
• mxtoolbox.com/ReverseLookup.aspx
• nmmapper.com/sys/tools/subdomainfinder
• dnslytics.com

Internet Services (IP, ISP, location)

• lg.he.net
• bgp.he.net
• play.google.com/store/apps/details?id=net.he.networktools

DNS Techniques:

• securitytrails.com/blog/dns-enumeration
• systemweakness.com/dns-analysis-ca637eab0180

Podcast on a penetration test, social engineering, incident response:
darknetdiaries.com/episode/22

Tools on github

• github.com/smicallef/spiderfoot
• github.com/topics/dns-lookup
• github.com/Manisso/Crips
• github.com/TermuxHackz/X-osint
• github.com/BullsEye0/ghost_eye
• github.com/h3x0crypt/HostSpider
• github.com/aaronjwood/PortAuthority
• github.com/akashblackhat/dark_web.py
• github.com/dievus/msdorkdump

Subdomains

Subdomain Hunting

When hunting down subdomains you are looking for developer or staging versions of a site, or admin login pages that are not public or easily found on the internet.

Website tools are not the best way to scan for subdomains, but you can try google and a couple others to see if anything interesting shows up.

Search google.com

• site:tesla.com
• site:tesla.com -www
• site:tesla.com -www -forums inurl:dev
• site:tesla.com -www -forums inurl:admin
• site:tesla.com -www -forums inurl:console

Other website tools

pentest-tools.com - scans are limited and you may have to create an account now.
pentest-tools.com/information-gathering/find-subdomains-of-domain

spyse.com - Shut down.

• netlas.io
• fullhunt.io
• binaryedge.io
• crt.sh - Domain Name, Organization Name, etc, a SHA-1 or SHA-256,  crt.sh ID
  % = wildcard - %.tesla.com
• censys.io
• archive.org

Shodan and Wayback

Shodan

shodan.io - Website tool to discover all kinds of stuff connected to the internet.

• Click on explore to see what is possible. It will show you the query being used.
• It may show screenshots of what the loaded IP address looks like.
• Search examples:
  • Click on one of the cameras.
  • Copy the IP address or you can try any IP address.
  • anydomain.com - but may work better with an Ip address.
  • city:atlanta - you should see quite a few results.
  • city:atlanta port:3389 - check for remote desktop.
  • city: atlanta port:3389 org:choopa - specific organization.
  • city: atlanta port:3389 org:choopa-business - narrow it down more.
  • Click Images tab to see just the images.
  • You can click to look at the details of a host.
  • You can find vulnerable systems.

web.archive.org

web.archive.org - non-profit library of millions of free books, movies, music, websites, etc.

• https://anydomain.com - the highlighted spots are where you can find screenshots.
• https://amazon.com - should show some versions of the site from a long time ago.

Google cached websites

• Go to google.com and search for a domain.
• Click on the 3 dot menu, then on the arrow to show more options, click on Cached.
• You might find some data in the cached version

Other Command line tools

• AMASS
• SubBrute
• Knock
• Sublist3r
• AltDNS
• Axiom
• Haktrails