Hooper Labs

Open Source Intelligence (OSINT)

Whois Registration Lookup

	whois domain.com

Arin Whois

	https://whois.arin.net/ui/advanced.jsp

Arin Whois

	Find other netblocks by throwing in Wildcards to the search.

Wigle

	Geolocate MAC Addresses of Wifi Hotspots - https://wigle.net/

Mylnikov (Wigle for Europe)

	http://find-wifi.mylnikov.org/

Photos of Commercial Buildings

	http://loopnet.com

MAC OUI Lookup

	curl http://api.macvendors.com/fc-a1-3e-2a-1c-33

Shodan

	https://www.shodan.io/

Google Dorks

List of Subdomains without main page

	site:"microsoft.com" -site:"www.microsoft.com" 

Web Cams

	inurl:"/control/userimage.html" 

Useful Operators

	filetype,inurl,intitle,

The Harvester (deprecated?)

	theharvester -d cisco.com -b all

DNS

Check if DNS resolves (multi-region)

	https://dnschecker.org

Sudomain Enumeration

SubBrute + MassDNS

	python /opt/massdns/scripts/subbrute.py /usr/share/wordlists/dns.top20000.txt domain.com | massdns -r /usr/share/wordlists/dns.resolvers.txt --verify-ip -w massdns.out.txt  -o S

MassDNS

	massdns -s 15000 -t CNAME -o J -r /usr/share/wordlists/resolvers.txt --flush

The Harvester

	theharvester -d domain.com -b all -c

Sublist3r

	sublist3r -d domain.com -b -o outfile.txt

Amass

	amass enum -passive -include-unresolvable -timeout 10 -d domain.com | tee amass.txt

DNScan

	dnscan -d domain.com -w /usr/share/wordlists/commonspeak2-subdomains.txt -t 16 -6 -r -o dnscan.txt

KnockPy

	python knockpy.py domain.com -w /usr/share/wordlists/commonspeak2-subdomains.txt | grep domain.com | cut -d '"' -f2  | tee knockpy.out

DNSRecon (not great)

	dnsrecon -d domain.com -D /usr/share/wordlists/commonspeak2-subdomains.txt -g -b -k -w -z --threads 16 

ALtDNS

	altdns  -i subdomains.txt -o altdns.txt -w words.txt -r -s results_outputs.txt

ThreatCrowd

Subdmain Takeover (one-liner)

	chaos -d domain.com -silent | nuclei -t nuclei-templates/dns/dead-host-with-cname.yaml

Git Disclosures

GitLeaks

	https://github.com/zricethezav/gitleaks | docker pull zricethezav/gitleaks

GitLeaks Example

	docker run --rm --name=gitleaks zricethezav/gitleaks -v -r https://gitlab.com/StraightOuttaCrompton/aws-cdk-static-site

Gitrob

	https://github.com/michenriksen/gitrob

Truffle Hog

	https://github.com/dxa4481/truffleHog

SHHGit

	https://github.com/eth0izzle/shhgit

Social Media

Linkedin (email lookup)

	https://linkedin.com/sales/gmail/profile/viewByEmail/