Network Information
MITRE ATT&CK, Reconnaissance, Technique T1590
DNS Information
Subdomain enumeration is the process of finding valid resolvable subdomains for a companies domain(s). The more you can find, the more you can hack.
Google Dork
site:*.$domain -www)
Dome
# Passive subdomain enumeration
dome.py -m passive -d $domain
# Active enumeration
dome.py -m active -d $domain
Sublist3r
# Passively enumerate subdomains
sublist3r.py -d $domain
# Enumerate subdomains and utilize the 'brute force' module
sublist3r.py -b -d $domain
DNSRecon
# Enumerate subdomains
dnsrecon -d $domain
# Enumerate subdomains and perform a zone transfer
dnsrecon -a -d $domain
Amass
# Retrieve the target domains ASN number
amass enum -d $domain
Gobuster
# Actively enumerate subdomains
gobuster dns --domain $domain --wordlist $wordlist
IP Addresses
Hurricane Electric Internet Services
Hurricane Electric Internet Services is a fast way to identify what company owns what IP
SecurityTrails
SecurityTrails Another good site for verifying IP addresses and netblocks belonging to an organization
NetBlockTool
NetblockTool can be used to gather IP ranges, points of contact, and even netblocks belonging to your target’s subsidiaries
Basic usage
python3 NetblockTool.py -v [COMPANY]
Extract ranges owned by the target company’s subsidiaries
python3 NetblockTool.py -v Company -s
References
References
DNS Information
IP Addresses
Last updated