PRIMARY CATEGORY → OSINT
Subdomain Enumeration
Crt.sh
For a given domain, obtain all Common Names (CN) for which a valid TLS Certificate has been issued
curl --silent --request GET --location "https://crt.sh?q=<DOMAIN>&output=json" | jq --raw-output '.[] | .common_name, .name_value' | sort -uIP Addresses Extraction from Subdomains
Once the subdomain are gathered, just use host or dig to get the IP Address to which they resolve
Crt.sh + Host
while IFS= read -r _domain ; do host "$_domain" ; done < <( curl --silent --request GET --location "https://crt.sh?q=<DOMAIN>&output=json" | jq --raw-output '.[] | .common_name, .name_value' | sort -u ) | awk '/digitaldot.es.*has address/ {print $1,$4}'Crt.sh + Dig
while IFS= read -r _domain ; do printf "%s %s\n" "$_domain" "$(dig $_domain +short)"; done < <( curl --silent --request GET --location "https://crt.sh?q=<DOMAIN>&output=json" | jq --raw-output '.[] | .common_name, .name_value' | sort -u )Information Extraction from IP Address
Shodan
IP Addresses from a File
while IFS= read -r _ip ; do shodan host "$_ip" ; done < <FILE>