OSINT
Passive Recon
Collect public-facing data without touching the target: emails, subdomains, exposed services, and leaked credentials all show up here.
bash
theHarvester -d <domain> -b all
shodan search hostname:<domain>
shodan host <IP>Google Dorks
Narrow search results to find exposed files, admin panels, and credentials indexed by Google: add before: date filters to find old cached pages.
site:<domain> filetype:pdf
site:<domain> inurl:admin
site:<domain> "index of"
site:github.com <company> password
site:github.com <company> api_keyCertificate Transparency
CT logs record every issued certificate: a reliable way to find subdomains without touching the target at all.
bash
curl -s "https://crt.sh/?q=<domain>&output=json" | jq '.[].name_value' | sort -u