- OSINT through World Wide Web
- Find Domain and Sub-domains of the target
- nmap –script dns-brute sample-domain.com
- https://www.netcraft.com
- Information gathering using theharvester and Sublist3r
- Find the Similar or Parallel Domain Names
- urlcrazy
- Refine Your Web Searches using Advanced Operators
- Web/Image/Groups/Directory/News/Product Search
- site:microsoft.com -site:www.microsoft.com
- Google Hacking Database (GHDB)
- Footprint the Target using Shodan
- Find the Geographic Location of a Company
- nmap -sn –script ip-geolocation-* http://www.microsoft.com
- List Employees and their Email Addresses
- Identify the Key Email Addresses through Email Harvesting
- theharvester (apt install theharvester)
- https://www.phishingfrenzy.com
- List Key Personnel of the Company
- Use People Search Online Services to Collect the Information
- Browse Social Network Websites to Find Information about the Company and Employees
- Use the Web Investigation Tools to Extract Sensitive Data about the Company
- Identify the Type of Network Devices used in Organization
- Job Search Engines
- Look for the Sensitive Information in Email Headers
- Look for Valuable Information in the NNTP USENET Newsgroups
- Find Domain and Sub-domains of the target
- OSINT through Website Analysis
- https://builtwith.com
- https://archive.org
- Website-Watcher (https://www.aignes.com)
- https://www.ultratools.com/whois
- https://www.yougetsignal.com/
- nslookup
- dnsrecon
- dnsenum
- dig
- Network Diagram
- traceroute
- nmap –traceroute –script traceroute-geolocation sample-domain.com
- OSINT through DNS Interrogation
- whois (apt install whois)
- nmap -sn –script whois-* sample-domain.com
- Automating your OSINT Effort using Tools/Frameworks/Scripts