In this article, I will share information about a manual recon process through which you can find juicy endpoints π and possibly discover the original IP π, which can be useful for chaining critical vulnerabilities! π
Three services are used in this process:
1) VirusTotal.com π¦
This service is widely used in various tools, like Subdinder, etc. Here, we use their API key to fetch data regarding the domain.
URL:
https://www.virustotal.com/vtapi/v2/domain/report?domain=<domain>&apikey=<API_KEY>
Simply replace <domain> with your target and <API_KEY> with your own API key π, and you're good to go! β
2) AlienVault.com π½
This service is also well-known for the recon process. Many of you may not be aware of this manual recon process, so here's how you can use it:
API endpoint:
https://otx.alienvault.com/api/v1/indicators/hostname/<DOMAIN>/url_list?limit=500&page=1
Just replace <DOMAIN> with your target subdomain, and you're all set!
Note: No API key is needed for this one! π«π
3) URLScan.io π
URLScan allows you to search for domain-related information. While some features require a subscription π³, you can still access a lot of data with the free plan! π
API endpoint:
https://urlscan.io/api/v1/search/?q=domain:<DOMAIN>&size=10000
Again, replace <DOMAIN> with your target subdomain.
Conclusion:
With the help of these tools π οΈ, you can find JavaScript files, sensitive text files π, PDFs with exposed information π, and even the original IP addresses π!
If you have any doubts, feel free to DM me on LinkedIn or leave a comment below! π¬