• Discovering subdomains related to the target organisation

  • Gathering publicly available information about a host and IP addresses

  • Finding email addresses related to the target

  • Discovering login credentials and leaked passwords

  • Locating leaked documents and spreadsheets


In a red team operation, we might start with no more than a company name, from which we need to start gathering information about the target. The more we know about our target’s infrastructure and people, the better we can orchestrate our attacks.


Use from these, but choose wisely: be quiet, keep the noise down.