Recon

https://docs.reconness.com/

look for different asns    http://bgp.he.net         prefixes v4        presents different IP ranges inside the CIDR notationwhois -h whois.cymru.com $(dig +short tesla.com) #finds CIDR notation for tesla.com - finds ip address for websitecareful not to pick up shared hosting amassfind subdomains for each of of these ASNsamass intel -asn 123456#find more details about ip ranges/countries etcwhois.arin.netripe.netshodan.io    https://beta.shodan.io/search/filters #useful filters    org:"Tesla"    #maybe some false positives

Find different attack surfaces which other people might not have discovered, ie from acquisitionsWikipedia    search for subsiduriesCrunchbase.com    search for org        look for acquisitionsOwler.com    search for org        look for acquisitionsAcquiredby.co    search for org        acquisitionsLinkedIn    affiliated pages or similiar pagesReversewhois    amass intel -d tesla.com -whoisBuiltwith    Relationship Profile        look for anaylitical codes under ID # google tracking codes that are linked to different sitesGoogleDorks    intext:"copyright tesla motors"ShodanDorks    http.favicon.hash:81586312 # Jenkins favicon hash        can narrow it down after that        

https://github.com/tomnomnom/assetfinder/    assetfinder -subs-only offsecnewbie.comamass enum -d tesla.com -ip    setup config.ini file get access to a lot more data than baseline toolsubfinder # not used much but has a few extra sources    subfinder -d tesla.com -t 25 -timeout 5 -silentDNS bruteforcing https://youtu.be/La3iWKRX-tE?t=802all.txt + goaltdns + commonspeak --> massdns / gobuster3    https://github.com/subfinder/goaltdns  massdns #download all.txt     sed -e 's/$/.tesla.com/' -i all.txt #adds tesla.com to start of each line - overrides file     massdns -r lists/resolvers.txt -t CNAME all.txt -o S > results     #massdns much faster than gobuster but can get you blacklisted from dns resolovers - a lot of false positives and negatives rapid 7 fdns#download latest file here: https://opendata.rapid7.com/sonar.fdns_v2/    pv 2019-10-27-1572199582-fdns_cname.json.gz | pigz -dc | grep -E "\.tesla\.org\"," | jq -r '.name'certstream    certstream | grep -E "\.tesla\.com$"    #Real-time certificate transparency log update stream

builtwith.comwhatweb #follows redirection http-->httpsmassscan & nmap    masscan -p1-65535 $(dig +short tesla.com) --rate 1000

shodan dork    org:"Tesla"    ssl:"Tesla" #accurate and can prove ownership to organisation     ssl:"Tesla" http.component:"Drupal"    ssl:"Tesla" http.title:"Login"censys.io    443.https.tls.certificate.parsed.subject.organizational_unit: Tesla Motorsgithub dork    "tesla.com" password    "tesla.com" key    "tesla.com" apihttps://github.com/condingo/dorky #automate the dorking process - tool to be released​

Burpcrawler    crawl siteLinkfinder https://github.com/GerbenJavado/LinkFinderjsparser - similar to abovegobuster & recursebuster # recurse only does directory otxurls    echo "www.tesla.com" | otxurls | head -n 300 #attempts to find urls within alienvaultwaybackurls    echo "www.tesla.com" | waybackurls | head -n 300 #similar to above, you can get parameters back which can be useful when fuzzing​

https://github.com/maK-/parameth

https://github.com/codingo/InterlaceInterlace #multithreads other tools    interlace -tL domains.txt -c "amass enum-d _target_" -o siubdomains.txt -threads 20LazyRecon #outofdate but still good baseline

https://www.bishopfox.com/resources/tools/google-hacking-diggity/attack-tools/

https://namechk.com/https://whatsmyname.app/