Tactics, Techniques, and Procedures
Personal BlogTwitterGitHubContact
  • Tactics, Techniques, and Procedures
  • ☠️Pentesting
    • Fortress
      • Automation
      • Cisco
        • Cisco Adaptive Security Appliance
        • Cisco Smart Install
      • CMS
        • Drupal
        • Wordpress
      • Exchange
      • Office365
      • Okta
      • Outlook Web Access (OWA)
      • SSH
      • Subdomain Takeover
    • Infrastructure
      • Active Directory
        • AD CS
        • Coercing Authentication
        • Credential Dumping
          • Cached Domain Credentials
          • Data Protection API (DPAPI)
          • Group Policy Preferences
          • LSA Secrets
          • LSASS Memory
          • NTDS
          • Security Account Manager (SAM)
          • Kerberos Tickets
          • Unsecured Credentials
          • WDigest
          • WiFi Profiles
        • Delegation Abuse
          • Constrained Delegation
          • Unconstrained Delegation
        • Domain Enumeration
        • Domain Dominance
          • Forge Golden Ticket
          • Forge Silver Ticket
          • Forge Trust Ticket
          • Skeleton Key
        • Group Policy Preferences
        • Kerberos
          • AS-REP Roasting
          • Kerberoasting
          • Kerberos Relaying
        • Lateral Movement
          • PowerShell
          • Windows Remote Management (WinRM)
        • Local Administrator Password Solution (LAPS)
        • NoPac
        • NTLMv1
        • Password Cracking
        • Password Policy
        • Password Spraying
        • Reconnaissance
        • Relaying
          • LDAP Relaying
          • SMB Relaying
        • Shadow Credentials
        • Zerologon
      • Database Management System (DBMS)
        • Microsoft SQL Server
      • Defense Evasion
        • Disable or Modify Tools
        • Disable Windows Event Logging
        • Impair Command History Logging
        • Timestomping
      • Low-Hanging Fruit
      • Networks
        • IPv6
        • LLMNR/NBT-NS Poisoning
        • Network Scanning
        • Network Sniffing
        • Segmentation Testing
        • Simple Network Management Protocol (SNMP)
        • Subnet Enumeration
        • Identifying Domain Information
      • Persistence
        • Create Account
        • Remote Desktop
        • Services
          • Service Privilege Escalation / Persistence
          • Systemd Service Persistence
        • Web Shell
        • DLL Hijacking
      • Pivoting
      • Privilege Escalation
        • Linux
          • Setuid and Setgid
        • Windows
          • Privilege Abuse
            • SeImpersonatePrivilege
            • SeLoadDriverPrivilege
          • Service Exploitation
    • Initial Access
      • Phishing
        • Creating Templates
          • Leveraging AI During Template Creation
        • Payloads
          • Non-malicious Callback
          • Macros
    • OSINT
      • Identifying Users
      • Network Information
      • Search Engines
    • Web Applications
      • Access Control
      • APIs
        • Swagger API
      • Authentication
        • Account Takeover
      • Clickjacking
      • Cross Origin Resource Sharing (CORS)
      • Cross Site Request Forgery (CSRF)
      • Document Object Model (DOM)
      • File Upload
      • Google Dorking
      • GraphQL
      • HTTP Request Smuggling
      • Information Disclosure
      • Insecure Direct Object Reference (IDOR)
      • Injection Vulnerabilities
        • Cross-Site Scripting (XSS)
          • Blind Cross-Site Scripting
          • Finding Cross-Site Scripting
          • Stealing Cookies
          • XSS Payloads
        • CSV Injection
        • XML External Entity Injection (XXE)
        • LDAP Injection
        • NoSQL Injection
        • Server-Side Template Injection
        • SQL Injection
      • JSON Web Tokens (JWT)
      • Local File Inclusion (LFI)
      • OAuth
      • Open Redirection
      • Password Reset Poisoning
      • Prototype Pollution
      • Race Condition
      • Rate Limit Bypass
      • Remote Code Execution (RCE)
      • Remote File Inclusion (RFI)
      • Suspicious Parameters
      • Tooling
        • Burp Suite
          • Authentication / Proxy Issues
          • Intruder Attack Types
          • Match and Replace
          • Quality of Life
        • Misc Tooling
      • WAF Bypasses
      • WebSockets
      • Web Cache Deception
      • Web Cache Poisoning
    • Wireless
      • WPA / WPA2
        • Alfa Troubleshooting
        • Enterprise
        • Personal
    • Cloud
      • Amazon Web Services (AWS)
      • Microsoft Azure
  • 🧨Red Teaming
    • C2
      • Cobalt Strike
      • Empire
      • Metasploit
        • Metasploit Datatabase
      • Mythic
      • Sliver
    • Malware Dev
    • Offensive Infrastructure
      • Cloud Fronting
      • Redirectors
      • OpSec
      • Phishing Infrastructure
      • Creating a Dropbox
    • Offensive Tactics
    • Philosophy
  • 🦋Bug Bounty
    • Bug Bounty Tips & Tricks
  • 📖Resources
    • Blog Posts and Goodies
    • Checklists
    • Offensive Security Notes
    • Tooling Repository
    • Active Directory Toolkit
Powered by GitBook
On this page
  • DNS Information
  • Google Dork
  • Dome
  • Sublist3r
  • DNSRecon
  • Amass
  • Gobuster
  • IP Addresses
  • Hurricane Electric Internet Services
  • SecurityTrails
  • NetBlockTool
  • References
  • References
  1. Pentesting
  2. OSINT

Network Information

MITRE ATT&CK, Reconnaissance, Technique T1590

PreviousIdentifying UsersNextSearch Engines

Last updated 1 year ago

DNS Information

Subdomain enumeration is the process of finding valid resolvable subdomains for a companies domain(s). The more you can find, the more you can hack.

Google Dork

site:*.$domain -www)

Dome

# Passive subdomain enumeration
dome.py -m passive -d $domain

# Active enumeration
dome.py -m active -d $domain

Sublist3r

# Passively enumerate subdomains
sublist3r.py -d $domain

# Enumerate subdomains and utilize the 'brute force' module
sublist3r.py -b -d $domain

DNSRecon

# Enumerate subdomains
dnsrecon -d $domain

# Enumerate subdomains and perform a zone transfer
dnsrecon -a -d $domain

Amass

# Retrieve the target domains ASN number
amass enum -d $domain

Gobuster

# Actively enumerate subdomains
gobuster dns --domain $domain --wordlist $wordlist

IP Addresses

Hurricane Electric Internet Services

SecurityTrails

NetBlockTool

Basic usage

python3 NetblockTool.py -v [COMPANY]

Extract ranges owned by the target company’s subsidiaries

python3 NetblockTool.py -v Company -s

References

References

DNS Information

IP Addresses

is a fast way to identify what company owns what IP

Another good site for verifying IP addresses and netblocks belonging to an organization

can be used to gather IP ranges, points of contact, and even netblocks belonging to your target’s subsidiaries

☠️
Hurricane Electric Internet Services
SecurityTrails
NetblockTool
LogoGitHub - v4d1/Dome: Dome - Subdomain Enumeration Tool. Fast and reliable python script that makes active and/or passive scan to obtain subdomains and search for open ports.GitHub
LogoGitHub - aboul3la/Sublist3r: Fast subdomains enumeration tool for penetration testersGitHub
LogoGitHub - darkoperator/dnsrecon: DNS Enumeration ScriptGitHub
LogoGitHub - OWASP/Amass: In-depth Attack Surface Mapping and Asset DiscoveryGitHub
LogoGitHub - OJ/gobuster: Directory/File, DNS and VHost busting tool written in GoGitHub
LogoNetblockTool: The Easy Way to Find IP Addresses Owned by a CompanyNetSPI
https://securitytrails.com/blog/identify-ip-ranges-company-ownssecuritytrails.com
​
https://securitytrails.comsecuritytrails.com
Logocrt.sh | Certificate Search
LogoDNSdumpster.com - dns recon and research, find and lookup dns records
LogoNetblockTool: The Easy Way to Find IP Addresses Owned by a CompanyNetSPI