Google Dorking
- site:cat.com → will filter results only to show results for cat.com
- -www will exclude the subdomain
- ext:php → will show results based on extension of file
- inurl:login → will show results where login will be in the url
- intitle: will show us results of data in the title
- intext: Will show results based on whats in the page
- useful bits for bounty hunting
- start wide and start excluding some to narrow down
- look for files or URLs with parameters like ? and &
Certificate Transparency
-
-
The area in the yellow will show us the certificate data for the domain. in a chrome browser it looks like not sure about other browsers
-
Subfinder
- config file is super important it lets us use keys for tools we use
-
Shodan
- Gives a lot of good data so much so its hard to specify exactly. Might need to make a whole section in recon just to Shodan
- org: will search based on org ownership
- http.tittle: → will show us the title
- it has a CLI
- I will look at external learning on this tool
-
httpx
- cli tool
- you can use this to go over domains you have collected to collect more detailed information like status code, redirect information, etc. This will allow us to see which domains are more viable.
-
Port Scanning / NMAP
- finding open ports
-
Subfinder
- CLI tool will grab all subdomains
-
Massdns
- Cli tool that will take a domain list output like HTTPX
-
Tomorrow I am just going to finish of the recon section at hacking hub with the ffuf videos. I feel like most of this section is out of context or snippets from a larger video.