# Scour the Web

## Google Fu

### Subdomain Enumeration

\<Keyword> \<site name>

```
site:*.wikimedia.org 
```

### File Extensions

Find php (or any datatype), txt and log files

```
site:*.example.org ext:php | ext:txt | ext:log
```

## Old Files

Old files (which haven't been deleted but are no longer in use) may be in Google's archives. Refer to OWASP testing guide v4's "Google Hacking" for more info.

## Code Repositories

Look up the target on  github, gitlab, bitbucket etc

Gitrob can be used to query Github and search sensitive files from the command line itself for specific organisations.

Trufflehog is a tool that searches for secrets, you can use that on the repos.

## Cloud Storage

If you can find a company's cloud storage container (like an Amazon S3 bucket), then you might see interesting things there. They can be easy to misconfigure.

## Info Gathering Services

Shodan

Ichidan

data.com

## Hiring Platforms, Company page

Take a look at LinkedIn, and the company website's "Careers" page. You'll probably find:

* &#x20;technologies used by the company.
* employee names&#x20;

## Whois

Run a whois search to get a website owner's information:

* Name
* Email address

Search these in password dumps, correlate with admin accounts.

Ripe.net - whois\
Internet.ee - whois for estonian sites

## Virustotal

Surprisingly, you can get a bunch of information from virustotal:

* Subdomains
* Scanned files

Go to "Search" on [virustotal](https://www.virustotal.com) and search for the domain you care about.