Web infrastructure
Theory
Practice
shodan : net:"SUBNET/MASK"
zoomeye : IP/MASK
fofa.so
Get the DNS servers, their records, and map the domain: -https://dnsdumpster.com/ IP énumération + response header from domain name: -https://zoomeye.org Find subdomains: -https://findsubdomains.com Find technologies used and versions of a webapp: -https://github.com/urbanadventurer/WhatWeb
Website caching platforms: -https://archive.org/ -https://archive.fo/
Google Analytics:
The last piece of information that is really interesting is to check if the same Google Analytics / Adsense ID is used in several websites. This technique was discovered in 2015 and is well described here by Bellingcat.
Certificats?
Using Google Dorks to find subdomains
Last updated