tilden-swans

2. use base domain to determine SSL/TLS organizational (O) strings and organizational unit (OU) strings -- you can use certificate transparency logs (https://www.certificate-transparency.org/ ), http://crt.sh , @censysio , https://transparencyreport.google.com/https/certificates …

4. using the base domain, find all associated ASNs like this: inurl:bgpview intext:@domain.com

5. use the derived ssl O strings in @shodanhq to determine top items (most used) for a given organization. for example, find the most common favicons: `shodan stats ssl:"o=blah" --facets http.favicon.hash`

there are some other useful facets as well: product, title, http.component, org, asn, vuln, etc

6. once you've figured out the ASNs (earlier step) use them as a combined search to find odd or non-standard things: `shodan stats asn:1,2,3,4,5,6 --facets port` -- searches like this will highlight non-standard, or low count port utilization for a given organization

7. find goodies using the ssl/tls strings you found before - example "o=blah" AND ldap OR "o=blah" AND emailaddress OR "o=blah" AND parsed.extensions.basic_constraints.is_ca: true || h/t @censysio - do all these searches using derived base domains too

8. reverse whois is a given (use the registrant email address) but also look for related domains using subs identified in filings (https://www.sec.gov/edgar/searchedgar/companysearch.html …), SOA pivots (other domains w/ same), SPF (^), adsense IDs, etc

keep in mind SSL/TLS certificates have these little gems called alt-DNS AND the base O string will often be used to cut all certs for a given organization (including subsidiaries) -- so even if they use whoisprotect, etc, they still need to register that certificate