Infrastructure

Check List

• Use search engines for basic information gathering.

• Explore specialized websites for additional insights.

• Perform Whois lookups for domain information.

• Investigate DNS records for domain details.

• Check IP addresses for location and hosting information.

• Network mapping and relationship analysis.

• Utilize Recon-NG for automated data gathering.

• Extract metadata from files and images.

Cheat Sheet

Search Engine

Google

Sub Domains

site:$WEBSITE

HTTP Title

intitle:"login" |
intitle:"admin" |
intitle:"administrator"
site:$WEBSITE

URI

inurl:conf |
inurl:env |
inurl:cgi |
inurl:bin |
inurl:etc |
inurl:root |
inurl:sql |
inurl:backup |
inurl:admin |
inurl:php
site:$WEBSITE

File Types

filetype:pdf |
filetype:csv |
filetype:xls |
filetype:xlsx
site:$WEBSITE

Extensions

ext:log | 
ext:txt | 
ext:conf | 
ext:cnf | 
ext:ini | 
ext:env | 
ext:sh | 
ext:bak | 
ext:backup | 
ext:swp | 
ext:old | 
ext:~ | 
ext:git | 
ext:svn | 
ext:htpasswd | 
ext:htaccess | 
ext:json | 
ext:daf 
site:$WEBSITE

Exact Phrase

"choose file" site:$WEBSITE 

Cache

cache:"$WEBSITE"

Shodan

Port

port:22

Country

country:"IR"

City

city:"Tehran"

Organization

org:"United States Department"

Product

product:"Apache"

Date

product:"apache" after:"22/02/2009" before:"14/3/2010"

Censys

Service

services.service_name: "HTTP"

Country

location.country: "Iran"

TLS Cipher

services.tls.certificate.parsed.subject.common_name: "$WEBSITE"

ASN

autonomous_system.asn: 15169

Banner

services.banner: "Apache"

Zoomeye

Port

port:80

Application

app:"Apache"

Country

country:"Iran"

IP

ip:"$TARGET"

City

city:"Tehran"

OS

os:"Windows"

Useful Website

Bug Bounty Programs

Find BB Target

for platform in hackerone bugcrowd intigriti; do echo -e "\n\033[1;36m==============================\n[$platform Programs]\n==============================\033[0m"; curl -s "https://raw.githubusercontent.com/arkadiyt/bounty-targets-data/master/data/${platform}_data.json" | jq -r '.[].url'; done

BGPView

Find CIDRs

curl -s https://api.bgpview.io/search?query_term=$COMPANY | jq

OSINT Frameworkosintframework.com

crt.sh | Certificate Searchcrt.sh

Wayback Machineweb.archive.org

ICANN Lookuplookup.icann.org

BuiltWithBuiltWith

Detect which CMS a site is using - What CMS?www.whatcms.org

Whois

Whois

Whois Lookup, Domain Availability & IP Search - DomainToolswhois.domaintools.com

ICANN Lookuplookup.icann.org

WHOIS Search, Domain Name, Website, and IP Tools - Who.iswho.is

WHOIS API | WHOIS Lookup API | Domain WHOIS APIwww.whoxy.com

WHOIS Domain Lookup - Find out who owns a website - GoDaddy CAGoDaddy

Revers Whois

https://viewdns.info/reversewhois/viewdns.info

Reverse WHOIS API | Reverse Whois Lookup | Free Reverse Whoiswww.whoxy.com

Reverse Whois Lookup - Domain search based on email or namewww.reversewhois.io

Reverse Whoissecgron

DNS

DNSDumpster - Find & lookup dns records for recon & researchDNSDumpster.com

http://searchdns.netcraft.com/searchdns.netcraft.com

https://viewdns.info/viewdns.info

IP Address

SecurityTrails | SecurityTrails: Data Security, Threat Hunting, and Attack Surface Management Solutions for Security Teamssecuritytrails

Maltego

Domain Scan

Run Machine > URL To Network And Domain Information > Fill in Input your Target > Right Click Domain > All Transforms

Create New Graph

Application Menu > New

Entity Palette > Infrastructure > Drag & Drop Domain > Enter Domain Name

Get IP Address

Right-click Domain > Run Transforms > All Transforms > [Securitytrails] DNS History Field A

DNS Records

Right-click Domain > Run Transforms > All Transforms > [WhoisXML] DNS lookup

Name Servers

Right-click Domain > Run Transforms > All Transforms > [Securitytrails] DNS History Field NS

Right-click Domain > Run Transforms > All Transforms > To DNS Name - NS

Mail Servers

Right-click Domain > Run Transforms > All Transforms > To DNS Name - MX

Whois Information

Right-click Domain > Run Transforms > Domain owner detail

Right-click Domain > Run Transforms > Domain owner detail > To Entities from WHOIS [IBM Watson]

Right-click Domain > Run Transforms > Domain owner detail > To Entities from WHOIS > To WHOIS Records [Whois XML]

Emails Related to Domain

Right-click Domain > Run Transforms > Find in Entity Properties > To E-Mail addresses [within Properties]

Right-click Domain > Run Transforms > hunter > Find Email Address [Hunter]

Subdomains

Right-click Domain > Run Transforms > All Transforms > [Securitytrails] List Subdomains

Right-click Domain > Run Transforms > All Transforms > To Subdomains (+Historical)[Shodan]

Right-click Domain > Run Transforms > All Transforms > To Subdomains(Passive DNS)[OTX]

Right-click Domain > Run Transforms > All Transforms > To Subdomains[Shodan]

Right-click Domain > Run Transforms > All Transforms > To Subdomains[VirusTotal Public API]

Phone Numbers

Right-click Domain > Run Transforms > To Phone numbers [From whois info]

Right-click Domain > Run Transforms > To Phone Numbers [using Search Engine]

Right-click Domain > Run Transforms > To Phone Numbers [within Properties]

Recon-NG

Run Recon-ng

recon-ng

List Commands

[recon-ng][default] > help

View All Modules

[recon-ng][default] > marketplace search

Install a Module

[recon-ng][default] > marketplace install recon/domains-contacts/hunter_io

Load a Module

[recon-ng][default] > modules load hunter_io

List Module Options

[recon-ng][default][hunter_io] > options list

Set Module Options

[recon-ng][default][hunter_io] > options set SOURCE $WEBSITE

Run Module

[recon-ng][default][hunter_io] > run

List API Keys

[recon-ng][default] > keys list

Add API Key

[recon-ng][default] > keys add hunter_io 9918b4ea[...]b46a73f071 

Remove API Key

[recon-ng][default] > keys remove hunter_io 

Metadata Extraction

Metagoofil

metagoofil -d $WEBSITE -t pdf,xls,xlsx,csv -l 100 -n 7 -f ~/result.html

ExifTool

exiftool $FILE

FOCA

Application Menu > Project > New Project > Fill the Inputs > Create > Select Path for Result > Select Extensions and Search Engine > Search All