BugBounty tip: look for port 9200 (Elasticsearch), then use this extension to easily find the juicy stuff: https://chrome.google.com/webstore/detail/elasticsearch-head/ffmkiejjmecolpfloofpjologoblkegm?hl=en-US … Remember: http://Shodan.io is your friend and you can sort by organization using org:"Org Name" query.
Just found two amazing websites. 1) (link: https://inteltechniques.com/menu.html) inteltechniques.com/menu.html 2) (link: https://intelx.io) intelx.io These two will boost your recon. (link: https://intelx.io/) intelx.io keep records of all pastebin pastes which are indexed on google and those which are removed.
Sharing one of my secrets #BugBountyTip When discovering subdomains/domains/assets owned by a company, use the Google Analytics ID to expand your attack surface. The ID is in the HTML code. Reverse search then: http://site-overview.com/website-report-search/analytics-account-id/ID… RT once this helps!#bugbountytips #infosec
Find subdomains not using HTTPS site:http://example.com -inurl:https://