Web infrastructure



shodan : net:"SUBNET/MASK"
zoomeye : IP/MASK
Get the DNS servers, their records, and map the domain: - IP énumération + response header from domain name: - Find subdomains: - Find technologies used and versions of a webapp: -
Website caching platforms: - -
Google Analytics:
  • The last piece of information that is really interesting is to check if the same Google Analytics / Adsense ID is used in several websites. This technique was discovered in 2015 and is well described here by Bellingcat.
  • Certificats?
Using Google Dorks to find subdomains
# find subdomains
# without www and subd1
site:"" -www -subd1