look for different asns
    http://bgp.he.net 
        prefixes v4
        presents different IP ranges inside the CIDR notation
whois -h whois.cymru.com $(dig +short tesla.com) #finds CIDR notation for tesla.com - finds ip address for website
careful not to pick up shared hosting 
amass
find subdomains for each of of these ASNs
amass intel -asn 123456
#find more details about ip ranges/countries etc
whois.arin.net
ripe.net
shodan.io
    org:"Tesla"
    #maybe some false positives

Find different attack surfaces which other people might not have discovered, ie from acquisitions
Wikipedia
    search for subsiduries
Crunchbase.com
    search for org
        look for acquisitions
Owler.com
    search for org
        look for acquisitions
Acquiredby.co
    search for org
        acquisitions
LinkedIn
    affiliated pages or similiar pages
Reversewhois
    amass intel -d tesla.com -whois
Builtwith
    Relationship Profile
        look for anaylitical codes under ID # google tracking codes that are linked to different sites
GoogleDorks
    intext:"copyright tesla motors"
ShodanDorks
    http.favicon.hash:81586312 # Jenkins favicon hash
        can narrow it down after that
        

https://github.com/tomnomnom/assetfinder/
    assetfinder -subs-only offsecnewbie.com
amass enum -d tesla.com -ip
    setup config.ini file get access to a lot more data than baseline tool
subfinder # not used much but has a few extra sources
    subfinder -d tesla.com -t 25 -timeout 5 -silent
DNS bruteforcing https://youtu.be/La3iWKRX-tE?t=802
all.txt + goaltdns + commonspeak --> massdns / gobuster3
    https://github.com/subfinder/goaltdns 
 massdns
 #download all.txt
     sed -e 's/$/.tesla.com/' -i all.txt #adds tesla.com to start of each line - overrides file
     massdns -r lists/resolvers.txt -t CNAME all.txt -o S > results
     #massdns much faster than gobuster but can get you blacklisted from dns resolovers - a lot of false positives and negatives 
rapid 7 fdns
#download latest file here: https://opendata.rapid7.com/sonar.fdns_v2/
    pv 2019-10-27-1572199582-fdns_cname.json.gz | pigz -dc | grep -E "\.tesla\.org\"," | jq -r '.name'
certstream
    certstream | grep -E "\.tesla\.com$"
    #Real-time certificate transparency log update stream

builtwith.com
whatweb #follows redirection http-->https
massscan & nmap
    masscan -p1-65535 $(dig +short tesla.com) --rate 1000

shodan dork
    org:"Tesla"
    ssl:"Tesla" #accurate and can prove ownership to organisation 
    ssl:"Tesla" http.component:"Drupal"
    ssl:"Tesla" http.title:"Login"
censys.io
    443.https.tls.certificate.parsed.subject.organizational_unit: Tesla Motors
github dork
    "tesla.com" password
    "tesla.com" key
    "tesla.com" api
https://github.com/condingo/dorky #automate the dorking process - tool to be released
​

Burpcrawler
    crawl site
Linkfinder https://github.com/GerbenJavado/LinkFinder
jsparser - similar to above
gobuster & recursebuster # recurse only does directory 
otxurls
    echo "www.tesla.com" | otxurls | head -n 300 #attempts to find urls within alienvault
waybackurls
    echo "www.tesla.com" | waybackurls | head -n 300 #similar to above, you can get parameters back which can be useful when fuzzing
​

https://github.com/maK-/parameth

https://github.com/codingo/Interlace
Interlace #multithreads other tools
    interlace -tL domains.txt -c "amass enum-d _target_" -o siubdomains.txt -threads 20
LazyRecon #outofdate but still good baseline

https://www.bishopfox.com/resources/tools/google-hacking-diggity/attack-tools/