Web infrastructure
shodan : net:"SUBNET/MASK"
zoomeye : IP/MASK
fofa.so
Get the DNS servers, their records, and map the domain:
-https://dnsdumpster.com/
IP énumération + response header from domain name:
-https://zoomeye.org
Find subdomains:
-https://findsubdomains.com
Find technologies used and versions of a webapp:
-https://github.com/urbanadventurer/WhatWeb
Google Analytics:
- The last piece of information that is really interesting is to check if the same Google Analytics / Adsense ID is used in several websites. This technique was discovered in 2015 and is well described here by Bellingcat.
- Certificats?
Using Google Dorks to find subdomains
# find subdomains
site:"something.com"
# without www and subd1
site:"something.com" -www -subd1
Last modified 1yr ago