Collect basic information about domain
IP address lookup, whois records, dns records, ping, traceroute, NSlookup.
Find out what technology was used to create the site: frameworks, javascript, libraries, analytics and tracking tools, widgets, payment systems, content delivery networks etc.
Get a list of sites belonging to the same owner (having the same Yandex.Metrika and Google Analytics counter numbers, as well as other common identifiers)
Find sites with the same Facebook App ID
Map subdomains
Looking for email addresses associated with the domain or subdomains
https://github.com/sharsil/mailcat
Download Meta
Download documents (PDF, docx, xlsx, pptx) from the site and analyze their metadata. This way you can find the names of the organization’s employees, user names in the system and emails.
github.com/laramies/metagoofil
https://github.com/ferreiraklet/Aline
Dorks
Use Google Dorks to look for database dumps, office documents, log files, and potentially vulnerable pages.
Looking for old versions of the site in archives and caches of search engines (sometimes in this way you can find addresses and contact information of the owners, which are currently already hidden from the site).
https://cipher387.github.io/quickcacheandarchivesearch/
Find out the approximate geographical location of the site
Source for more Info:
https://threadreaderapp.com/user/cyb_detective
Source for more Info: