Recon
Terminal :
whois google.com
dnsrecon -d google.com
nslookup google.com
traceroute google.com
dig google.com
wafw00f - WAF checking
Check for ASN(Autonomous System Number) of a company of the company is big
ASN(Autonomous System Number) = Routeable IP belong to a company
Websites :
securitytrails
crt.sh
dnsdumpster
osintframework
godaddy
shodan
https://search.censys.io/
If its a WAF , it will likely have 2 ip , one for WAF , another for host , using host ip is one way to bypass WAF.
Websites
https://bgp.he.net/ (IP DUMP)
https://whois.arin.net/ui/ (URL DUMP)
https://www.crunchbase.com/ (Check Domain Acquisations) need account
https://aleph.occrp.org/ (Check invested/bought companies)
ASN
number can be useful is big comp because it specify ip routes owned by the companies
Acquisitions
are useful because it could lead to main target
ChatGPT for background check
What can you tell me more about targeted domain aquasitions
Ads(Relationship) checking with Built-with
extension
Built-with
extensionhttps://chrome.google.com/webstore/detail/builtwith-technology-prof/dapjbgnjinbpoindlpdmhochffioedbn
need login
To check websites that uses the same ads
Shodan + api = karma
bash karma_v2 -d tesla.com --limit -1 -deep
Karma notes
favicon dana-na = vpn login
interesting findings
check possible ipv6
Shodan subdomain grabber
https://github.com/incogbyte/shosubgo
Whoxy
https://www.whoxy.com/ (Check history/previous websites)
AWS IP ranges
kaferyeager
https://kaeferjaeger.gay/?dir=ip-ranges/
cat *.txt | grep "\.tesla\.com"
Last updated
Was this helpful?