# Network Information ## DNS Information Subdomain enumeration is the process of finding valid resolvable subdomains for a companies domain(s). The more you can find, the more you can hack. ### Google Dork ```bash site:*.$domain -www) ``` ### Dome ```bash # Passive subdomain enumeration dome.py -m passive -d $domain # Active enumeration dome.py -m active -d $domain ``` {% embed url="" %} ### Sublist3r ```bash # Passively enumerate subdomains sublist3r.py -d $domain # Enumerate subdomains and utilize the 'brute force' module sublist3r.py -b -d $domain ``` {% embed url="" %} ### DNSRecon ```bash # Enumerate subdomains dnsrecon -d $domain # Enumerate subdomains and perform a zone transfer dnsrecon -a -d $domain ``` {% embed url="" %} ### Amass ```bash # Retrieve the target domains ASN number amass enum -d $domain ``` {% embed url="" %} ### Gobuster ```bash # Actively enumerate subdomains gobuster dns --domain $domain --wordlist $wordlist ``` {% embed url="" %} ## IP Addresses ### Hurricane Electric Internet Services [Hurricane Electric Internet Services](https://bgp.he.net) is a fast way to identify what company owns what IP ### SecurityTrails [SecurityTrails](https://securitytrails.com) Another good site for verifying IP addresses and netblocks belonging to an organization ### NetBlockTool [NetblockTool](https://github.com/NetSPI/NetblockTool) can be used to gather IP ranges, points of contact, and even netblocks belonging to your target’s subsidiaries Basic usage ```bash python3 NetblockTool.py -v [COMPANY] ``` Extract ranges owned by the target company’s subsidiaries ```bash python3 NetblockTool.py -v Company -s ``` ### References {% embed url="" %} {% embed url="" %} ​ {% endembed %} ## References #### DNS Information {% embed url="" %} {% embed url="" %} {% embed url="" %} #### IP Addresses {% embed url="" %}