IP Discovery
ASN Mapping:
- `amass intel -asn 12345` (Find all IP ranges owned by the organization).
-
IP Ownership Verification:
while read -r ip; do whois "$ip" > "whois_$ip.txt"; done < ips.txt(Verify IPs belong to the client, not a hosting provider/CDN).
-
Record Analysis:
-
SPF/DMARC: Check for misconfigurations allowing email spoofing.
-
Zone Transfers: Test via
dig axfr @ns1.example.com example.com.
-
Domain Discovery
Basics
dig www.company.com +short
whois 10.0.0.0
while read -r ip; do whois "$ip" > "whois_$ip.txt"; done < ips.txt
nslookup
DNSRecon https://github.com/darkoperator/dnsrecon
#DNS reverse of all of the addresses
dnsrecon -r [IP] -n [nameserver]
#Using facebooks dns
dnsrecon -d facebook.com -r 157.240.221.35/24
#Using cloudflares dns
dnsrecon -r 157.240.221.35/24 -n 1.1.1.1
#Using google dns
dnsrecon -r 157.240.221.35/24 -n 8.8.8.8
Subfinder
# Find all subdomains
subfinder -d example.com -o subdomains.txt
AssetFinder
# Find all subdomains
assetfinder --subs-only example.com >> subdomains.txt
Amass
amass enum -active -d example.com` (Leverages DNS zone transfers if misconfigured)
DNSScan (old) https://github.com/rbsec/dnscan
./dnscan.py -d www.company.com -w subdomains-100.txt
dnscan.py -d dev-%%.example.org
- SubDomainizer & subscraper: They scrap the web looking for JS files and extract subdomains from there.
# Get only subdomains from SubDomainizer python3 SubDomainizer.py -u https://tesla.com | grep tesla.com # Get only subdomains from subscraper, this already perform recursion over the found results python subscraper.py -u tesla.com | grep tesla.com | cut -d " " -f
# Get Domains from crt free API crt(){ curl -s "https://crt.sh/?q=%25.$1" \ | grep -oE "[\.a-zA-Z0-9-]+\.$1" \ | sort -u } crt tesla.com
-
gau: fetches known URLs from AlienVault’s Open Threat Exchange, the Wayback Machine, and Common Crawl for any given domain.
theHarvester -d tesla.com -b "anubis, baidu, bing, binaryedge, bingapi, bufferoverun, censys, certspotter, crtsh, dnsdumpster, duckduckgo, fullhunt, github-code, google, hackertarget, hunter, intelx, linkedin, linkedin_links, n45ht, omnisint, otx, pentesttools, projectdiscovery, qwant, rapiddns, rocketreach, securityTrails, spyse, sublist3r, threatcrowd, threatminer, trello, twitter, urlscan, virustotal, yahoo, zoomeye"
Links
MxToolbox https://mxtoolbox.com/DNSLookup.aspx
Shodan https://www.shodan.io
PTR record archives https://ptrarchive.com/
Crunchbase https://www.crunchbase.com/