Intelligence

Based on IP

whois -h whois.cymru.com <ip>

Based on domain

curl -s http://api.hackertarget.com/hostsearch/?q=<domain> > hostsearch
curl -s http://api.hackertarget.com/dnslookup/?q=<domain> > dnslookup
theharvester -d <domain> -h -l 300 -b all -f output
metagoofil -d <domain> -t <doc,pdf> -l 200 -n 50 -o <out> -f results.html
python sublist3r.py -d <domain>
subdomain(){ curl -s "https://crt.sh/?q=%25.$1"  | sed 's/<\/\?[^>]\+>//g' | sort -u | grep -v "LIKE" | grep -v "crt.sh" | grep $1 | sed 's/    //' | grep -v "*" | grep $1 ; curl -s "https://certspotter.com/api/v0/certs?domain=$1"  | jq '.[].dns_names[]' | sed 's/\"//g' | sed 's/\*\.//g' | uniq | grep $1 ; curl -s "https://api.hackertarget.com/hostsearch/?q=$1" | cut -d',' -f1 | sort -u  ; curl -sX GET "http://index.commoncrawl.org/CC-MAIN-2018-22-index?url=*.$1&output=json" | jq -r .url | sort -u ;}
subdomain <domain> | sort | uniq 
enum_commoncrawl(){ curl -sX GET "http://index.commoncrawl.org/CC-MAIN-2018-22-index?url=*.$1&output=json" | jq -r .url | sort -u ;}

Certificate Transparency Reports

https://www.entrust.com/ct-search/
https://cryptoreport.websecurity.symantec.com/checker/
https://ssltools.digicert.com/checker/
https://github.com/UnaPibaGeek/ctfr
https://google.com/transparencyreport/https/ct/

Based on files

exiftool <file>

Based on nickname

python3 sherlock.py <nickname>

Online tools

https://crt.sh/?q=%25.<domain>.<tld>

Domain to ASN

http://bgp.he.net/

ASN to netblocks

nmap <domain> --script targets-asn --script-args targets-asn.asn=<ASN> > netblocks.txt

Google Dorks

https://nfsec.pl/media/ghdb.pdf
inurl:<company> AND intext:<key word>
ext:pdf <company>

Ressources