🚩
Practical CTF
BlogContact
  • 🚩Home - Practical CTF
  • 🌐Web
    • Enumeration
      • Finding Hosts & Domains
      • Masscan
      • Nmap
      • OSINT
    • Client-Side
      • Cross-Site Scripting (XSS)
        • HTML Injection
        • Content-Security-Policy (CSP)
      • CSS Injection
      • Cross-Site Request Forgery (CSRF)
      • XS-Leaks
      • Window Popup Tricks
      • Header / CRLF Injection
      • WebSockets
      • Caching
    • Server-Side
      • SQL Injection
      • NoSQL Injection
      • GraphQL
      • XML External Entities (XXE)
      • HTTP Request Smuggling
      • Local File Disclosure
      • Arbitrary File Write
      • Reverse Proxies
    • Frameworks
      • Flask
      • Ruby on Rails
      • NodeJS
      • Bun
      • WordPress
      • Angular
    • Chrome Remote DevTools
    • ImageMagick
  • 🔣Cryptography
    • Encodings
    • Ciphers
    • Custom Ciphers
      • Z3 Solver
    • XOR
    • Asymmetric Encryption
      • RSA
      • Diffie-Hellman
      • PGP / GPG
    • AES
    • Hashing
      • Cracking Hashes
      • Cracking Signatures
    • Pseudo-Random Number Generators (PRNG)
    • Timing Attacks
    • Blockchain
      • Smart Contracts
      • Bitcoin addresses
  • 🔎Forensics
    • Wireshark
    • File Formats
    • Archives
    • Memory Dumps (Volatility)
    • VBA Macros
    • Grep
    • Git
    • File Recovery
  • ⚙️Reverse Engineering
    • Ghidra
    • Angr Solver
    • Reversing C# - .NET / Unity
    • PowerShell
  • 📟Binary Exploitation
    • ir0nstone's Binary Exploitation Notes
    • Reverse Engineering for Pwn
    • PwnTools
    • ret2win
    • ret2libc
    • Shellcode
    • Stack Canaries
    • Return-Oriented Programming (ROP)
      • SigReturn-Oriented Programming (SROP)
      • ret2dlresolve
    • Sandboxes (chroot, seccomp & namespaces)
    • Race Conditions
  • 📲Mobile
    • Setup
    • Reversing APKs
    • Patching APKs
    • HTTP(S) Proxy for Android
    • Android Backup
    • Compiling C for Android
    • iOS
  • 🌎Languages
    • PHP
    • Python
    • JavaScript
      • Prototype Pollution
      • postMessage Exploitation
    • Java
    • C#
    • Assembly
    • Markdown
    • LaTeX
    • JSON
    • YAML
    • CodeQL
    • NASL (Nessus Plugins)
    • Regular Expressions (RegEx)
  • 🤖Networking
    • Modbus - TCP/502
    • Redis/Valkey - TCP/6379
  • 🐧Linux
    • Shells
    • Bash
    • Linux Privilege Escalation
      • Enumeration
      • Networking
      • Command Triggers
      • Command Exploitation
      • Outdated Versions
      • Network File Sharing (NFS)
      • Docker
      • Filesystem Permissions
    • Analyzing Processes
  • 🪟Windows
    • The Hacker Recipes - AD
    • Scanning/Spraying
    • Exploitation
    • Local Enumeration
    • Local Privilege Escalation
    • Windows Authentication
      • Kerberos
      • NTLM
    • Lateral Movement
    • Active Directory Privilege Escalation
    • Persistence
    • Antivirus Evasion
    • Metasploit
    • Alternate Data Streams (ADS)
  • ☁️Cloud
    • Kubernetes
    • Microsoft Azure
  • ❔Other
    • Business Logic Errors
    • Password Managers
    • ANSI Escape Codes
    • WSL Tips
Powered by GitBook
On this page
  • Account Finding
  • Certificate Transparency
  • Subdomains
  • Wildcards
  1. Web
  2. Enumeration

OSINT

Open Source INTelligence: Abusing public information

PreviousNmapNextClient-Side

Last updated 10 months ago

Account Finding

When you have a username of someone and want to find more information about that username, you can try to search for that username on different social media platforms. There are also a few tools that do this for you on a lot of websites quickly.

A popular CLI tool is , where you can simply provide a username and see all the accounts that were found:

$ sherlock USERNAME [USERNAMES ...]

Another tool I have found to be very useful is the following site:

The above web tool also shows some Google search results, as a bonus. These can be useful in finding more details about a username, and what it is associated with.

Certificate Transparency

Subdomains

gitbook.com subdomains
%.gitbook.com

Note that these queries can take some time, as there is a lot of data to query through. Just be a little patient with these services.

Wildcards

The Censys search tool linked above is really powerful. You only need to create a free account and then you can use Elasticsearch syntax to query all kinds of information about the certificates. Most often you're querying the domain name, and want to use the parsed.names keyword. After the colon, you can specify a string, maybe including wildcards, or even a regular expression:

Includes "verysecret"
parsed.names:/.*verysecret.*/

With these Regular Expressions (RegEx), you can query pretty much anything you want. You can also try to search for multiple strings with anything in between, and make sure "very" is the start of a word:

parsed.names:/.*\Wvery.*secret.*/

Certificate Transparency (CT) can be a useful tool as it provides a publicly accessible log of all issued SSL certificates for websites, including information about the domain names associated with the certificate. Some databases collect these logs and make them able to be queried, like or Censys:

Very often when setting up a new subdomain the owner will have to register a new certificate for it. This action is logged by the CT and can be looked up on websites such as . Simply put in a query with a % like in SQL as follows to get all the subdomains of a certain root domain:

🌐
crt.sh
crt.sh
sherlock
WhatsMyName Web
Username lookup site that requests over 500 sites in a few seconds
CensysCensys
The Certificate Transparency search page from Censys that allows complex queries
Logo