Web infrastructure

Theory

Practice

shodan : net:"SUBNET/MASK"

org:"company name"

zoomeye : IP/MASK

fofa.so

Get the DNS servers, their records, and map the domain:
-https://dnsdumpster.com/
IP enumeration + response header from domain name:
-https://zoomeye.org
Find subdomains:
-https://findsubdomains.com
Find technologies used and versions of a webapp:
-https://github.com/urbanadventurer/WhatWeb

Website caching platforms:
-https://archive.org/
-https://archive.is/

Google Analytics:

The last piece of information that is really interesting is to check if the same Google Analytics / Adsense ID is used in several websites. This technique was discovered in 2015 and is well described here by Bellingcat.
Certificates?

Using Google Dorks to find subdomains

# find subdomains
site:"something.com"

# without www and subd1
site:"something.com" -www -subd1

Reconnaissance

Movement

Credentials

Dumping

Bruteforcing

MITM and coerced auths

NTLM

Kerberos

Forged tickets

Delegations

DACL abuse

Netlogon

Certificate Services (AD-CS)

SCCM / MECM

Exchange services

Print Spooler Service

Schannel

Built-ins & settings

Kerberos

Certificate Services (AD-CS)

HTTP security headers

Identity and Access Management

File inclusion

LFI to RCE

Initial access (protocols)

Windows

UNIX-like

(AV) Anti-Virus

Mifare Classic

Android

Web infrastructure

Theory

Practice

Dumping

Bruteforcing

MITM and coerced auths

NTLM

Kerberos

Forged tickets

Delegations

DACL abuse

Certificate Services (AD-CS)

SCCM / MECM

Certificate Services (AD-CS)

HTTP security headers

File inclusion

LFI to RCE

Windows

UNIX-like

Mifare Classic

Web infrastructure ​

Theory ​

Practice ​

Web infrastructure

Theory

Practice