Recon

Terminal :

whois google.com 

dnsrecon -d google.com

nslookup google.com

traceroute google.com

dig google.com

wafw00f - WAF checking

Check for ASN(Autonomous System Number) of a company of the company is big

ASN(Autonomous System Number) = Routeable IP belong to a company

Websites :

securitytrails 

crt.sh 

dnsdumpster

osintframework

godaddy

shodan

https://search.censys.io/

If its a WAF , it will likely have 2 ip , one for WAF , another for host , using host ip is one way to bypass WAF.

Websites

https://bgp.he.net/ (IP DUMP)
https://whois.arin.net/ui/ (URL DUMP)
https://www.crunchbase.com/ (Check Domain Acquisations) need account
https://aleph.occrp.org/ (Check invested/bought companies)

ASN number can be useful is big comp because it specify ip routes owned by the companies

Acquisitions are useful because it could lead to main target

ChatGPT for background check

What can you tell me more about targeted domain aquasitions

Ads(Relationship) checking with `Built-with` extension

https://chrome.google.com/webstore/detail/builtwith-technology-prof/dapjbgnjinbpoindlpdmhochffioedbn 
need login

To check websites that uses the same ads

Shodan + api = karma

bash karma_v2 -d tesla.com --limit -1 -deep

Karma notes

favicon dana-na = vpn login

interesting findings

check possible ipv6

Shodan subdomain grabber

https://github.com/incogbyte/shosubgo

Whoxy

https://www.whoxy.com/ (Check history/previous websites)

AWS IP ranges

kaferyeager
https://kaeferjaeger.gay/?dir=ip-ranges/

cat *.txt | grep "\.tesla\.com"

Previouspsy shell NextDNS Hunting

Last updated 2 years ago

Was this helpful?