Account Finding

When you have a username of someone and want to find more information about that username, you can try to search for that username on different social media platforms. There are also a few tools that do this for you on a lot of websites quickly.

A popular CLI tool is sherlock, where you can simply provide a username and see all the accounts that were found:

$ sherlock USERNAME [USERNAMES ...]

Another tool I have found to be very useful is the following site:

The above web tool also shows some Google search results, as a bonus. These can be useful in finding more details about a username, and what it is associated with.

Certificate Transparency

Certificate Transparency (CT) can be a useful tool as it provides a publicly accessible log of all issued SSL certificates for websites, including information about the domain names associated with the certificate. Some databases collect these logs and make them able to be queried, like crt.sh or Censys:

Subdomains

Very often when setting up a new subdomain the owner will have to register a new certificate for it. This action is logged by the CT and can be looked up on websites such as crt.sh. Simply put in a query with a % like in SQL as follows to get all the subdomains of a certain root domain:

%.gitbook.com

Wildcards

The Censys search tool linked above is really powerful. You only need to create a free account and then you can use Elasticsearch syntax to query all kinds of information about the certificates. Most often you're querying the domain name, and want to use the parsed.names keyword. After the colon, you can specify a string, maybe including wildcards, or even a regular expression:

parsed.names:/.*verysecret.*/

With these Regular Expressions (RegEx), you can query pretty much anything you want. You can also try to search for multiple strings with anything in between, and make sure "very" is the start of a word:

parsed.names:/.*\Wvery.*secret.*/