Leet Sheet
  • Leet Sheet
  • TODO
  • Reconnaissance
    • Automated Reconnaissance
    • Domains
    • Scour the Web
    • Metadata
  • Web App Hacking
    • Enumeration
      • Webserver Virtualhost Subdomains
      • Common Identifiers
      • Web Fuzzing
      • Directory Enumeration
        • Automated Directory Enumeration
        • Manual Directory Enumeration
      • Automated Web Technology Detection
    • User Attacks
      • CORS Misconfigurations
      • DNS Rebinding
      • Open Redirect
      • Clickjacking
      • Cross Site Request Forgery (CSRF)
      • Session Fixation
      • XSS/Cross Site Scripting
      • CSS Injection
      • HTML Injection
      • Phishing
    • Database Attacks
      • SQL Injection
      • Get a Shell From DB Connection
    • Server Attacks
      • Collisions
      • Server Side Request Forgery
        • Redis SSRF
      • Insecure Direct Object Reference
      • Timing-Based Side-Channel Attacks
      • Attacking Authentication Methods
        • JWT Attacks
        • Brute Forcing Web Forms
      • Loose Comparisons
      • Unrestricted File Upload
      • Insecure Deserialization
      • Command Injection
      • Path Traversal
      • File Inclusion
      • Server-Side Template Injection
      • XML External Entities Injection (XXE)
      • Server Misconfigurations
      • Parser Inconsistencies
      • Bypassing WAFs
    • DNS Attacks
    • Cloud Attacks
      • Amazon Web Services
    • Interesting Outdated Attacks
      • SQL Truncation
  • Network Hacking
    • General Enumeration
    • RPC
    • LDAP
    • SMB
    • SNMP
    • WMI
    • SSH
    • Kerberos
    • NTLM
    • Man-In-the-Middle (MITM)
    • WinRM
  • Post Exploitation
    • Windows
      • CLI Tips
      • Shells
      • Windows Script Host
      • Windows Privilege Escalation
        • Enumeration
        • JuicyPotato/RottenPotato
        • Kernel Exploits
        • Unquoted Service Paths
      • Active Directory
      • Dumping Passwords
      • NTLM Hash Theft
    • Linux
      • Port Forwarding
      • Shells
      • Linux Privilege Escalation
        • Enumeration
        • SUID Bit
        • Dot (.) In PATH
        • Escape From Restricted Shell
        • Symlink Trickery
        • Wildcard Injection
        • Docker group/LXD group
        • Password Reuse
      • Backdoors
    • Docker Container
    • General
  • Various
    • CVEs
    • SSH Agent Hijacking
    • Password Cracking
    • Cryptography
    • Non-Hacking
    • Malware
    • Forensics
      • Reading Keystrokes from USB PCAP Data
  • Binary Exploitation
    • Resources
    • Base Knowledge
    • Format String Exploits
    • Stack Smashing
    • Heap Exploits
    • Time-of-Check to Time-of-Use (TOCTOU)
    • Shellcode
    • Decompilation
    • Debugging
    • Exploit Mitigations and Protections
    • Exploit Protection Bypassing
    • Passing Input
    • Fuzzing
    • Automatic Exploitation
  • Physical Security
    • Mechanical Locks
    • Electronic Locks
    • Other Attacks
    • Destructive Entry
    • Elevator Attacks
  • Social Engineering
    • Phishing
Powered by GitBook
On this page
  • Google Fu
  • Subdomain Enumeration
  • File Extensions
  • Old Files
  • Code Repositories
  • Cloud Storage
  • Info Gathering Services
  • Hiring Platforms, Company page
  • Whois
  • Virustotal

Was this helpful?

  1. Reconnaissance

Scour the Web

Google Fu

Subdomain Enumeration

<Keyword> <site name>

site:*.wikimedia.org

File Extensions

Find php (or any datatype), txt and log files

site:*.example.org ext:php | ext:txt | ext:log

Old Files

Old files (which haven't been deleted but are no longer in use) may be in Google's archives. Refer to OWASP testing guide v4's "Google Hacking" for more info.

Code Repositories

Look up the target on github, gitlab, bitbucket etc

Gitrob can be used to query Github and search sensitive files from the command line itself for specific organisations.

Trufflehog is a tool that searches for secrets, you can use that on the repos.

Cloud Storage

If you can find a company's cloud storage container (like an Amazon S3 bucket), then you might see interesting things there. They can be easy to misconfigure.

Info Gathering Services

Shodan

Ichidan

data.com

Hiring Platforms, Company page

Take a look at LinkedIn, and the company website's "Careers" page. You'll probably find:

  • technologies used by the company.

  • employee names

Whois

Run a whois search to get a website owner's information:

  • Name

  • Email address

Search these in password dumps, correlate with admin accounts.

Ripe.net - whois Internet.ee - whois for estonian sites

Virustotal

Surprisingly, you can get a bunch of information from virustotal:

  • Subdomains

  • Scanned files

PreviousDomainsNextMetadata

Last updated 3 years ago

Was this helpful?

Go to "Search" on and search for the domain you care about.

virustotal