- IP space discovery
- TLDs, Acquisitions, & Relations
- Subdomain Enum
- Fingerpirnting
- Dorking
- Content Discovery
- Parameter Discovery
ASN Discovery of Target:
ASN using whois:
whois -h whois.cymru.com $(dig +short example.com)
NOTE: Be careful cause sometimes you might get ASN for VPSs like digital ocean etc. Don't work on them.
Using Nmap & ASN for discoverying IP related to the targetted ASN
nmap --script targets-asn --script-args targets-asn.asn=<ASN Number>
Gathering Company intel using AMASS
amass intel -org <Organisation name(not domain)>
ARIN for ASN:
Site: IPINFO for ASN
Subdomains using ASNs using AMASS:
amass intel -asn <ASN_number>
-Looking for acquisition or related orgs to target
- wikipedia
- Crunchbase
Crunchbase: Discover innovative companies and the people behind them
- Owler
- Accquiredby
AcquiredBy | Definitive list of bootstrapped acquisitions
-
LinkedIn
-
ReverseWhois using amass intel module
amass intel -d [domain.com](http://domain.com) -whois -
BuiltWith
- Google dork:
intext:"copyright ©️ org_name"
- Shodan Dork using HTTP favicon hashes
http.favicon.hash:<hash>
Favicon hash can be found using favfreak