Identify Technologies

Being able to identity what you are targeting is critical if you want to succeed. This can range to what CMS a website is using, where a site is hosted, to what potential targets are ‘hidden’ behind a ADFS server.

Netblocks

blocks URL
Azure Public https://www.microsoft.com/en-us/download/details.aspx?id=56519
Azure US Gov http://www.microsoft.com/en-us/download/details.aspx?id=57063
Azure Germany http://www.microsoft.com/en-us/download/details.aspx?id=57064
Azure China http://www.microsoft.com/en-us/download/details.aspx?id=57062
AWS https://ip-ranges.amazonaws.com/ip-ranges.json
GCP http://www.gstatic.com/ipranges/cloud.json

Can be automated with https://github.com/oldrho/ip2provider # MOVE TO ITS OWN TOOL PAGE.

Microsoft Products

Notes url
Find out what ADFS is used to for to authenticate to https://adfs.domain.tld/adfs/ls/idpinitiatedsignon.aspx
Show information about O365/hybrid configs https://login.microsoftonline.com/getuserrealm.srf?login=user@targetdomain.com&xml=1
Show information disclosed from autodiscover https://outlook.office365.com/autodiscover/autodiscover.json/v1.0/user@targetdomain.com?Protocol=autodiscoverv1

G-Suite Usage

You are able to identify if a valid e-mail address usages G-suite by trying to authenticate to it.

invalid

valid

AWS Usage

Look for content being pulled from S3 buckets.

https://[bucketname].s3.amazonaws.com https://s3-[region].s3.amazonaws.com\[OrgName]

Box.com

Look for any login portal https://companyname.account.box.com

If so, try dorking them for cached content.

Website

External services

Service info
builtwith Find out what websites are Built With

Browser plugins

Service info
Wappalyzer Uncovers technologies used on websites
Name Description