#!/bin/bash
# a basic script to pull information from crt and present it
# example ./crt.sh offsecnewbie.com
# author rowbot
if [[ $# -eq 0 ]] ;
then
echo "Usage: ./crt.sh domain. Also you might have to install jq - 'apt get install jq'"
exit 1
else
curl -s https://crt.sh/\?q\=\%.$1\&output\=json | jq -r '.[].name_value' | sed 's/\*\.//g' | sort -u > $1
fi
If you can't get jq installed - try this script
Compare subdomains found using theHavester with crt.sh script as some will be missing - not all domains have ssl.
IP addresses from subdomains
Use Virustotal to find subdomains
Also you can play about with a nice entity diagram
Read
FireFox addon - passive recon
Google hacking
also heck out doc meta info, gives info such as where doc was stored - network share ip address, who created it, what was it created with etc
Social Media Search
Search for people on social media
Recon
A giant inventory of recon tools is available via the Skip Tracing Framework
examples here
site:offsecnewbie.com doctype:docx
inurl:/etc/passwd%00 intext:root
also check out doc meta info, ie doc creator, where doc was stored, created with Office 2010, saved on this network share eg its IP address