Network Information

DNS Information

Subdomain enumeration is the process of finding valid resolvable subdomains for a companies domain(s). The more you can find, the more you can hack.

Google Dork

site:*.$domain -www)

Dome

# Passive subdomain enumeration
dome.py -m passive -d $domain

# Active enumeration
dome.py -m active -d $domain

GitHub - v4d1/Dome: Dome - Subdomain Enumeration Tool. Fast and reliable python script that makes active and/or passive scan to obtain subdomains and search for open ports.GitHub

Sublist3r

GitHub - aboul3la/Sublist3r: Fast subdomains enumeration tool for penetration testersGitHub

DNSRecon

GitHub - darkoperator/dnsrecon: DNS Enumeration ScriptGitHub

Amass

GitHub - owasp-amass/amass: In-depth attack surface mapping and asset discoveryGitHub

Gobuster

GitHub - OJ/gobuster: Directory/File, DNS and VHost busting tool written in GoGitHub

IP Addresses

Hurricane Electric Internet Services

Hurricane Electric Internet Services is a fast way to identify what company owns what IP

SecurityTrails

SecurityTrails Another good site for verifying IP addresses and netblocks belonging to an organization

NetBlockTool

NetblockTool can be used to gather IP ranges, points of contact, and even netblocks belonging to your target’s subsidiaries

Basic usage

Extract ranges owned by the target company’s subsidiaries

References

NetblockTool: The Easy Way to Find IP Addresses Owned by a CompanyNetSPI

References

DNS Information

SecurityTrails | SecurityTrails: Data Security, Threat Hunting, and Attack Surface Management Solutions for Security Teamssecuritytrails

crt.sh | Certificate Searchcrt.sh

DNSDumpster - Find & lookup dns records for recon & researchDNSDumpster.com

IP Addresses

NetblockTool: The Easy Way to Find IP Addresses Owned by a CompanyNetSPI