- robots.txt
- security.txt
- check directory list
- fuzz common directories
- curl -H "Host: {{random}}"
- vhost enumeration via Host headers
- default HTTP and TLS vhost e.g. visit website's IP address
- view TLS certs for alt DNS names
- inspect headers
- continously hit load balancers to see other hosts e.g
while true; do curl {{loadbalanderURI}}; done
- check TXT records via
dig -t txt {{address}}
- zone transfer via `dig axfr @{{nameserver}} {{domain}}
- check for internal zones as well via zone transfer e.g.
int
- check BIND version using
dig @{{nameserver}} version.bind txt chaos
- search for public repos, orgs AND their users
- Show emails used within repo:
git shortlog --summary --numbered --email