# Infrastructure Enumeration ## Domain Information {% tabs %} {% tab title="Certificate transparency" %} ```bash curl -s https://crt.sh/\?q\=qu35t.pw\&output\=json | jq . ``` Filtered by the unique subdomains. ```bash curl -s https://crt.sh/\?q\=qu35t.pw\&output\=json | jq . | grep name | cut -d":" -f2 | grep -v "CN=" | cut -d'"' -f2 | awk '{gsub(/\\n/,"\n");}1;' | sort -u ``` ```bash openssl s_client -ign_eof 2>/dev/null <<<$'HEAD / HTTP/1.0\r\n\r' -connect "qu35t.pw:443" | openssl x509 -noout -text -in - | grep 'DNS' | sed -e 's|DNS:|\n|g' -e 's|^\*.*||g' | tr -d ',' | sort -u ``` {% endtab %} {% tab title="Shodan" %} ```bash shodan host 10.10.10.10 ``` {% endtab %} {% tab title="DNS records" %} ```bash dig any qu35t.pw ``` {% endtab %} {% tab title="TheHarvester" %} Sources. ``` baidu bufferoverun crtsh hackertarget otx projecdiscovery rapiddns sublist3r threatcrowd trello urlscan vhost virustotal zoomeye ``` Gather information from sources. ```bash cat sources.txt | while read source; do theHarvester -d "qu35t.pw" -b $source -f "${source}_qu35t.pw";done ``` Extract all the subdomains found. ```bash cat *.json | jq -r '.hosts[]' 2>/dev/null | cut -d':' -f 1 | sort -u > "theHarvester.txt" ``` {% endtab %} {% endtabs %} ## Cloud Resources {% tabs %} {% tab title="Google search for AWS" %} ```yaml intext:COMPANY inurl:amazonaws.com ``` {% endtab %} {% tab title="Google search for Azure" %} ```yaml intext:COMPANY inurl:blob.core.windows.net ``` {% endtab %} {% endtabs %} ## References * [domain.glass](https://domain.glass) * [GrayhatWarfare](https://buckets.grayhatwarfare.com) * [Baidu](http://www.baidu.com/) * [Crtsh](https://crt.sh/) * [Hackertarget](https://hackertarget.com/) * [Rapiddns](https://rapiddns.io/) * [Sublist3r](https://github.com/aboul3la/Sublist3r) * [Threatcrowd](http://www.threatcrowd.org/) * [Threatminer](https://www.threatminer.org/) * [Urlscan](https://urlscan.io/) * [Zoomeye](https://www.zoomeye.org/) * [TheHarvester](https://github.com/laramies/theHarvester) * [Wayback Machine](http://web.archive.org/)