Web infrastructure

Theory

Practice

shodan : net:"SUBNET/MASK"

zoomeye : IP/MASK

fofa.so

Get the DNS servers, their records, and map the domain: - IP énumération + response header from domain name: - Find subdomains: - Find technologies used and versions of a webapp: -

Website caching platforms: - -

Google Analytics:

The last piece of information that is really interesting is to check if the same Google Analytics / Adsense ID is used in several websites. This technique was discovered in 2015 and is well described here by .
Certificats?

Using Google Dorks to find subdomains

# find subdomains
site:"something.com"

# without www and subd1
site:"something.com" -www -subd1

PreviousEmails NextOSINT

Last updated 3 years ago

Was this helpful?