Search

Website OSINT

Part 1:

  1. Google
    1. tcm-sec.com
    2. “tcm-sec.com”
    3. site:tcm-sec.com
    4. site:tcm-sec.com heath -academy
    5. site:tesla.com -www -shop -service
      1. good for finding subdomains
  2. BuiltWith - https://builtwith.com/
    1. Tells you what’s used to build the website
  3. Centralops.net
    1. whois records
    2. DNS records
    3. Service scan
      1. sometimes sees more subdomains or server data (LiteSpeed on TCM sec was leaking)
      2. PHP
  4. DNSlytics - https://dnslytics.com/reverse-ip
    1. finds what other websites are hosted on the same IP (View DNS looks cleaner)
      1. find the IP from CentralOps
  5. SpyOnWeb - https://spyonweb.com/
    1. Same owner
  6. Virus Total - https://www.virustotal.com/
    1. after a scan, under details, you can see a lot of info.
      1. Google tag manager, you can see the UA code
        1. This would let you search for it under SpyOnWeb and see if the same tracker is used on another website
        2. AKA tying websites together
  7. Reddit Domains: reddit.com/domain/bargainify.co/
    1. (This one actually works): thecybermentor.com on reddit.com
    2. hit or miss but you can see if this website has been posted. Potentially who posted it/owner and link things together
  8. Visual Ping - https://visualping.io/
    1. looking for website changes for free
  9. Back Link Watch - http://backlinkwatch.com/index.php
    1. find where the website has been posted on a website
    2. good for finding profiles, events sponsored, original designer/coder/etc
  10. View DNS - https://viewdns.info/
    1. So many options, pretty clean

Part 2:

  1. urlscan.io - https://urlscan.io/
    1. Gain info
  2. DNSdumpster - https://dnsdumpster.com/
    1. domain mapping
  3. Web Check - https://web-check.as93.net/
    1. subdomains
    2. txt files
    3. security best practices
  4. crt.sh - https://crt.sh/ (his favorite?)
    1. finding subdomains thru certificate search
    2. finding subdomains on tesla:
      1. %.tesla.com
        1. You can find dev related if you are trying to hack into them
        2. adm for admin
        3. stg for staging

Part 3:

  1. Shodan (I got premium!): https://shodan.io
    1. Explore (Explore (shodan.io))
    2. Most used feature: Webcam
    3. Search for IP to find vulnerabilities
    4. how he searches for clients:
      1. city:atlanta
        1. what if we want misconfiguration? RDP open to the internet? port 3389:
          1. city:atlanta port:3389
          2. narrow it to an organization:
          3. city:atlanta port:3389 org:choopa
          4. city:atlanta port:3389 org:"Equifax Inc.”
          5. narrow it down to maybe ISP business lines
            1. his example was AT&T Business after finding out many are AT&T
  2. Wayback Machine - https://web.archive.org/
    1. view page history
  3. Cache
    1. can bypass paywall, websites that don’t work anymore, or hidden data
    2. Google:
      1. cache:tesla.com
      2. cache:websiteYouWantHere.com