Skip to Content
Red Teaming01-Recon basic Infra Enum

🌐 Infrastructure Enumeration

[!TIP] Domain/infrastructure information extends beyond subdomains - it’s about mapping the entire Internet presence including certificates, DNS, cloud resources, and third-party services.


Certificate Transparency (crt.sh)

Certificate Transparency  logs enable verification of issued digital certificates. This is a goldmine for subdomain discovery.

TaskCommand
Basic Query (JSON)curl -s "https://crt.sh/?q=target.com&output=json" | jq
Unique SubdomainsSee below

Extract Unique Subdomains

curl -s "https://crt.sh/?q=target.com&output=json" | jq -r '.[].name_value' | sed 's/\*\.//g' | sort -u

Resolve Subdomains to IPs

# Generate subdomain list first, then: for i in $(cat subdomainlist); do host $i | grep "has address" | cut -d" " -f1,4 done

Feed IPs to Shodan

# Save IPs to file for i in $(cat subdomainlist); do host $i | grep "has address" | cut -d" " -f4 >> ip-addresses.txt done # Query Shodan for each IP for i in $(cat ip-addresses.txt); do shodan host $i done

📋 DNS Records

DNS records reveal critical infrastructure details about the target.

dig ANY target.com
Record TypePurposeWhat to Look For
AMaps domain to IPv4Target server IPs
AAAAMaps domain to IPv6IPv6 infrastructure
MXMail serverEmail provider (Google, O365, self-hosted)
NSName serversHosting provider identification
TXTVerification/securitySPF, DKIM, DMARC, third-party verifications
CNAMEAliasesSubdomain takeover candidates
SOAAuthority infoAdmin email, update frequency

TXT Record Security Components

ComponentRFCPurpose
SPF RFC 7208Authorized mail senders
DMARC RFC 7489Email authentication policy
DKIM RFC 6376Email signature verification

☁️ Cloud Resources

[!WARNING] Cloud provider infrastructure security ≠ secure company configurations. Misconfigurations are common!

Common Cloud Storage

ProviderServiceVulnerable Pattern
AWSS3 Buckets*.s3.amazonaws.com
AzureBlob Storage*.blob.core.windows.net
GCPCloud Storage*.storage.googleapis.com

Google Dorks for Cloud Discovery

# AWS S3 Buckets intext:companyname inurl:amazonaws.com intext:companyname inurl:s3.amazonaws.com site:s3.amazonaws.com "companyname" # Azure Blobs intext:companyname inurl:blob.core.windows.net site:blob.core.windows.net "companyname" # GCP Storage intext:companyname inurl:storage.googleapis.com

Specialized Tools

ToolPurpose
GrayHatWarfare Search exposed cloud storage
domain.glass Domain intelligence
Bucket Finder S3 bucket enumeration
cloud_enum Multi-cloud enumeration

🔍 Additional Reconnaissance

Target Website Source Code

  • View source for hardcoded endpoints, API keys, S3 URLs
  • Check JavaScript files for API endpoints
  • Look for development/staging URLs in comments
# Extract URLs from page source curl -s https://target.com | grep -oP 'https?://[^"]+' | sort -u # Find JS files and check for secrets curl -s https://target.com | grep -oE 'src="[^"]*.js"' | cut -d'"' -f2

Useful OSINT Resources

ResourceURLPurpose
crt.shhttps://crt.sh Certificate transparency
Shodanhttps://shodan.io Device/service search
Censyshttps://censys.io Internet-wide scanning
SecurityTrailshttps://securitytrails.com Historical DNS data
BuiltWithhttps://builtwith.com Technology profiling
Wayback Machinehttps://web.archive.org Historical snapshots

#cpts #recon #osint #infrastructure #cloud #dns

Last updated on