Infrastructure Enum
Domain Information
- Work on the main website to find our tech stack and services
- If we discover a service that we do not know how it works:
- we must try to understand its fx and opportunities.
- It also gives us an overview of the company's structure.
-
Think of being a dev and you'll have more technical insights\
-
First thing to check might be the SSL Certificate information: https://crt.sh/
- Get JSON Output:
curl -s https://crt.sh/\?q\=inlanefreight.com\&output\=json | jq .- Filter Unique Subdomains:
curl -s https://crt.sh/\?q\=inlanefreight.com\&output\=json | jq . | grep name | cut -d":" -f2 | grep -v "CN=" | cut -d'"' -f2 | awk '{gsub(/\\n/,"\n");}1;' | sort -u- Checking Hosts: -
for i in $(cat subdomainlist);do host $i | grep "has address" | grep inlanefreight.com | cut -d" " -f1,4;done - Once we know what IPs we wanna investigate further, we use Shodan on that list
- SHODAN finds devices and systems connected to the internet
for i in $(cat subdomainlist);do host $i | grep "has address" | grep inlanefreight.com | cut -d" " -f4 >> ip-addresses.txt;done-
for i in $(cat ip-addresses.txt);do shodan host $i;done\ -
Find available DNS records:
dig any inlanefreight.com 
Cloud Resources:
- some components might be listed in the dns lookup (s3, blob, cloud storage)
intext: <target> inurl:<s3/blob/cloudstorage>- Check in source code links
domain.glassgreyhat warfareLinkedInorXingGitHub