# Domain Information - gathered passively w/o direct and active scans - accessed as a potential customer or visitor ## SSL Cert - view SSL certification - access website and open cert info - review domain on https://crt.sh - `curl` crt.sh entry and pipe to `jq` for easy viewing of json output ```bash curl -s https://crt.sh/\?q\=inlanefreight.com\&output\=json | jq . curl -s https://crt.sh/\?q\=inlanefreight.com\&output\=json | jq . | grep name | cut -d":" -f2 | grep -v "CN=" | cut -d'"' -f2 | awk '{gsub(/\\n/,"\n");}1;' | sort -u #manipulate output for easily readable lists ``` ## Shodan - when a client provides a subdomain list, run a processed list through `shodan` to find devices and systems that are directly accessible to the internet and associated info (as opposed to those hosted by third-party providers) ```bash for i in $(cat subdomainlist);do host $i | grep "has address" | grep inlanefreight.com | cut -d" " -f4 >> ip-addresses.txt;done for i in $(cat ip-addresses.txt);do shodan host $i;done ``` ## DNS Records - leverage `dig` and `nslookup` ```bash dig any inlanefreight.com ``` | Record Type | Description | | ----------- | ----------------------------------------------------------------------------- | | A | IPv4 addresses pointed to a specific (sub)domain | | AAAA | IPv6 addresses pointed to a specific (sub)domain | | cname | canonical name; alias | | NS | nameserver used to resolve FQDN to IP | | MX | mail server records | | TXT | SPF, DMAR, DKIM | | SOA | start of authority with admin info about the zone (related to zone transfers) | # Cloud Resources - AWS, Azure, GCP need to be setup properly or become potential attack vectors - S3 buckets (AWS), blobs (Azure), and clod storage (GCP) can be accessed without authentication is configured incorrectly - often scloud storage is added to the DNS list for ease of administration - identifying cloud storage - use google dorks `inurl: storage-related-domain` and `intext: company name` - for AWS - `inurl: amazonaws.com` - for Azure - `inurl: blob.core.windows.net` - look at webpage source code with [crtl+u] - search for company name on domain.glass - try different searches for company name on grayhatwarfare.com such as filtering by buckets or searching by files such as `id_rsa` ## Staff -> usernames - search for company employees on LinkedIn - also look at company's job postings on LinkedIn or Indeed to determine what programming skills, languages, etc. they are looking for as they may be in currently - look at employee's personal github's for clues as to their projects may be associated with frameworks, etc. currently used by the company - also look for disclosure of info such as email addresses, API keys, JWT tokens, etc.