Infrastructure Intelligence

Reconnaissance

Infrastructure intelligence reveals the target's technical footprint: IP ranges, hosting providers, exposed services, technology stacks, and potential entry points—all from passive reconnaissance.

Search Engine APIs

Shodan, Censys, and similar services index the entire internet. Their APIs allow you to query for exposed services without ever touching the target directly—perfect for passive reconnaissance.

Tool Installation

Shodan CLI

Search
Docs

Command-line interface for the Shodan search engine.

Installation

bash 
pip install shodan && shodan init YOUR_API_KEY

Censys CLI

Search
Docs

CLI for Censys internet-wide scanning data.

Installation

bash 
pip install censys && censys config

Httpx

Probing
Docs

Fast HTTP probing tool for identifying live hosts.

Installation

bash 
go install -v github.com/projectdiscovery/httpx/cmd/httpx@latest

WhatWeb

Tech
Docs

Next generation web scanner for identifying technologies.

Installation

bash 
gem install whatweb

Wappalyzer

Tech
Docs

Technology profiler that identifies software on websites.

Installation

bash 
npm i -g wappalyzer

waybackurls

History
Docs

Fetch URLs from the Wayback Machine for a domain.

Installation

bash 
go install github.com/tomnomnom/waybackurls@latest

Shodan Search Engine

shodan-search.sh
bash 
# Initialize Shodan CLI with API key
shodan init YOUR_API_KEY

# Search by hostname/domain
shodan search "hostname:target.com"
shodan search "ssl:target.com"
shodan search "ssl.cert.subject.cn:target.com"

# Search by organization
shodan search "org:Target Company"
shodan search 'org:"Target Company Inc"'

# Search by IP
shodan host 192.168.1.1
shodan search "net:192.168.1.0/24"

# Filter by product/service
shodan search "hostname:target.com product:nginx"
shodan search "hostname:target.com port:443"
shodan search "hostname:target.com http.title:login"

# Find vulnerable services
shodan search "hostname:target.com vuln:CVE-2021-44228"  # Log4j
shodan search "hostname:target.com has_vuln:true"

# Export results
shodan search "hostname:target.com" --fields ip_str,port,org --separator ,
shodan download results "hostname:target.com"
shodan parse --fields ip_str,port results.json.gz

# Useful Shodan Dorks
# RDP: "port:3389 !open"
# VNC: "port:5900 authentication disabled"
# MongoDB: "product:MongoDB"
# Elasticsearch: "port:9200 indices"
# Jenkins: "X-Jenkins" OR "jenkins"
# Kubernetes: "product:kubernetes"

Censys Search

censys-search.sh
bash 
# Configure Censys CLI
censys config

# Search by domain/hostname
censys search "services.tls.certificates.leaf_data.names: target.com"
censys search "dns.names: target.com"

# Search by organization
censys search "autonomous_system.name: Target Company"

# Search by IP
censys search "ip: 192.168.1.1"
censys view 192.168.1.1 --at-time 2024-01-01

# Find specific services
censys search "services.service_name: HTTP AND dns.names: target.com"
censys search "services.port: 22 AND dns.names: target.com"

# Certificate search
censys search "parsed.subject_dn: target.com" --index certificates

# Export results
censys search "dns.names: target.com" --output-format json > results.json

# Python API example
python3 << 'EOF'
from censys.search import CensysHosts

h = CensysHosts()
for host in h.search("services.http.response.headers.server: nginx"):
    print(host["ip"])
EOF

ASN & IP Intelligence

asn-intelligence.sh
bash 
# Find organization's ASN
# Method 1: BGPView API
curl -s "https://api.bgpview.io/search?query_term=Target+Company" | jq

# Method 2: Hurricane Electric BGP Toolkit
# https://bgp.he.net - search by company name

# Get IP prefixes for ASN
curl -s "https://api.bgpview.io/asn/12345/prefixes" | jq '.data.ipv4_prefixes[].prefix'

# WHOIS on IP address
whois 192.168.1.1
whois -h whois.arin.net 192.168.1.1  # ARIN
whois -h whois.ripe.net 192.168.1.1  # RIPE

# Get CIDR range
whois 192.168.1.1 | grep -E "NetRange|CIDR|inetnum"

# ASN lookup tools
# Team Cymru: whois.cymru.com
echo "192.168.1.1" | nc whois.cymru.com 43

# IPinfo.io API
curl "https://ipinfo.io/192.168.1.1?token=YOUR_TOKEN"

# AbuseIPDB - check IP reputation
curl "https://api.abuseipdb.com/api/v2/check?ipAddress=192.168.1.1" \
  -H "Key: YOUR_KEY" -H "Accept: application/json"

# Scan entire ASN
# List all IPs then probe
curl -s "https://api.bgpview.io/asn/12345/prefixes" | \
  jq -r '.data.ipv4_prefixes[].prefix' | \
  while read prefix; do
    nmap -sL "$prefix" | grep "Nmap scan report"
  done

Technology Stack Detection

tech-detection.sh
bash 
# WhatWeb - comprehensive web scanner
whatweb https://target.com
whatweb -v https://target.com  # Verbose
whatweb -a 3 https://target.com  # Aggressive mode
whatweb --log-json=output.json https://target.com

# Wappalyzer CLI
wappalyzer https://target.com

# BuiltWith API
curl "https://api.builtwith.com/v20/api.json?KEY=xxx&LOOKUP=target.com"

# Httpx - HTTP toolkit with tech detection
httpx -u https://target.com -tech-detect
httpx -l subdomains.txt -tech-detect -json -o tech.json

# Nuclei with tech detection
nuclei -u https://target.com -t technologies/

# Manual header analysis
curl -sI https://target.com | grep -E "Server|X-Powered-By|X-Generator|X-AspNet"

# Check common files for stack detection
curl -s https://target.com/robots.txt
curl -s https://target.com/sitemap.xml
curl -s https://target.com/wp-admin/  # WordPress
curl -s https://target.com/administrator/  # Joomla
curl -s https://target.com/.well-known/security.txt

Historical Data & Wayback Machine

wayback-osint.sh
bash 
# waybackurls - fetch historical URLs
waybackurls target.com > historical_urls.txt
waybackurls target.com | sort -u > unique_urls.txt

# Filter interesting patterns
waybackurls target.com | grep -E "\?.*=" > params.txt
waybackurls target.com | grep -E "\.js$" > js_files.txt
waybackurls target.com | grep -E "api|admin|config" > interesting.txt

# Wayback Machine CDX API
curl "http://web.archive.org/cdx/search/cdx?url=target.com/*&output=text&fl=original&collapse=urlkey"

# Get specific snapshot
curl "http://web.archive.org/web/20230101000000/https://target.com/"

# Check changes over time
# Use diff between snapshots to find removed content

# gau (GetAllUrls) - multiple sources
gau target.com
gau --providers wayback,commoncrawl,otx target.com

# Common Crawl search
curl "http://index.commoncrawl.org/CC-MAIN-2024-10-index?url=target.com/*&output=json"

# Check for exposed files in history
waybackurls target.com | grep -E "\.(sql|bak|backup|config|env|log)$"
waybackurls target.com | grep -E "password|secret|api_key|token"

Cloud Infrastructure Enumeration

cloud-enum.sh
bash 
# Identify cloud provider from IP
# AWS IP ranges: https://ip-ranges.amazonaws.com/ip-ranges.json
# Azure IP ranges: Published in Service Tags
# GCP IP ranges: Published in cloud.json

# Check if hosting is cloud
curl -s "https://ipinfo.io/192.168.1.1" | jq '.org'

# S3 bucket enumeration
# Common patterns: target.com, target-backup, target-dev, target-prod
aws s3 ls s3://target --no-sign-request 2>/dev/null

# Azure blob enumeration
curl -s "https://target.blob.core.windows.net/container?restype=container&comp=list"

# GCP bucket enumeration
curl -s "https://storage.googleapis.com/target/"

# Cloud metadata endpoints (if SSRF found)
# AWS: http://169.254.169.254/latest/meta-data/
# Azure: http://169.254.169.254/metadata/instance?api-version=2021-02-01
# GCP: http://metadata.google.internal/computeMetadata/v1/

# Cloud enumeration tools
# cloud_enum: https://github.com/initstring/cloud_enum
python3 cloud_enum.py -k target

# S3Scanner
s3scanner scan --bucket target-bucket

# AWSBucketDump
python AWSBucketDump.py -l buckets.txt

SSL/TLS Certificate Analysis

ssl-analysis.sh
bash 
# OpenSSL certificate inspection
openssl s_client -connect target.com:443 < /dev/null 2>/dev/null | openssl x509 -text

# Extract specific fields
openssl s_client -connect target.com:443 < /dev/null 2>/dev/null | \
  openssl x509 -noout -subject -issuer -dates

# Get certificate chain
openssl s_client -showcerts -connect target.com:443 < /dev/null

# SSL Labs API
curl "https://api.ssllabs.com/api/v3/analyze?host=target.com"

# Testssl.sh - comprehensive SSL testing
testssl.sh https://target.com

# Check for alternate names (SANs)
echo | openssl s_client -connect target.com:443 2>/dev/null | \
  openssl x509 -noout -text | grep -A1 "Subject Alternative Name"

# Certificate transparency for discovery (see Domain OSINT)
curl -s "https://crt.sh/?q=%.target.com&output=json" | jq -r '.[].name_value' | sort -u

External Resources

Shodan

Search engine for internet-connected devices

Censys

Internet-wide scanning and certificate database

Wayback Machine

Internet Archive's historical website snapshots

BGP Toolkit

Hurricane Electric BGP/ASN lookup

BuiltWith

Technology profiler and lookup

SSL Labs

Comprehensive SSL/TLS testing

FOFA

Chinese Shodan alternative with different coverage

ZoomEye

Cyberspace search engine

Related Topics

OSINT Overview

Google Dorking

Nmap Cheatsheet