Discovering subdomains related to the target organisation
Gathering publicly available information about a host and IP addresses
Finding email addresses related to the target
Discovering login credentials and leaked passwords
Locating leaked documents and spreadsheets
In a red team operation, we might start with no more than a company name, from which we need to start gathering information about the target. The more we know about our target’s infrastructure and people, the better we can orchestrate our attacks.
Use from these, but choose wisely: be quiet, keep the noise down.
Falconry (in “In”)
Lay of the land (in “In”)