Asset Discovery
The idea here is to find as many assets related to a target as possible
-
We can start off by finding all the seed or root domains of the Organization.
-
Acquisitions are often an interesting way to expand our available assets if they are in Scope.
-
Find the ASNs (Autonomous system numbers) associated with a company, will help you find IPs owned by each company
-
Using reverse WHOIS will help you to search for other entries (organisation names, emails, domains...)
-
Ad/Analytics relationship tools can help you identify all the analytics and trackers being used by a domain, and help you to find some root and subdomains used.
-
Google-FU - You can find the copyright text, terms of service and privacy policy, digging these documents will help you again find seed domains
-
Use Shodan it's an infrastructure spider tool, it's more verbose than others, use
organdsslfilters to search for other assets (thesslthe trick can be done recursively).
Acquisitions
Acquisitions are often a new way to expand our available assets if they are in scope, we can investigate a company's acquisitions on sites like wikipedia.com, crunchbase.com and google
Use the below request to pull any stuff from the Crunchbase API
GET https://api.crunchbase.com/api/v4/entities/organizations/tesla-motors?card_ids=founders,raised_funding_rounds&field_ids=categories,short_description,rank_org_company,founded_on,website,facebook,created_at&user_key=INSERT_KEY_HERE
ASN discovery
Autonomous system numbers are given to large enough networks. These ASN's will help us track down some semblance of an entity's IT infrastructure. The most reliable way to get these is by using Hurricane electric internet network services https://bgp.he.net/
ASN Enumeration using the command line
Some automation is available to get ASNs. One such tool is the ‘net’ switch of Metabigor by j3ssiejjj which will fetch ASN data from a keyword from bgp.he.net and asnlookup.com
Another is ASNLookup by Yassine Aboukir which utilizes the maxmind.com dataset.
One problem with cmd line enumeration is that you could return records from another org on accident that contains the keyword ‘tesla’.
ASN Enumeration (with Amass)
For discovering more seed domains we want to scan the whole ASN with a port scanner and return any root domains we see in SSL certificates, etc.
We can do this with Amass intel
Amass is written by Jeff Foley and the Amass team.
amass intel -asn 46489
Reverse WHOIS (with Whoxy.com)
Every website has some registration info on file with the registrars. Two key pieces of data we can use are the Organization name and any emails in the WHOIS data. To do this you need access to a large WHOIS database. WHOXY.com is one such database.
You can use whoxy.com in this fashion after you register and your free API key:
Careful with reverse whois data as it is the least high-fidelity source of new root/seed domains. It might include many parked domains or redirects to out-of-scope assets.
Reverse WHOIS (with DOMLink)
DOMLink is a tool written by Vincent Yiu (@vysecurity) which will recursively query the WHOXY WHOIS API. It will start by querying our targets WHOIS record, then analyze all the data and look for other records which contain the organization name or are registered to emails in the record. It does this recursively until it finds no more records of match.
Ad/Analytics Relationships (builtwith.com)
You can also glean related domains and subdomains by looking at a target’s ad/analytics tracker codes. Many sites use the same codes across all their domains. Google analytics and New Relic codes are the most common. We can look at these “relationships” via a site called BuiltWith. Builtwith also has a Chrome and Firefox extension to do this on the fly.
BuiltWith is also a tool we’ll use to profile the technology stack of a target in later slides.
Ad/Analytics Relationships (getrelationship.py)
Want to do it on the command line?
@M4ll0k has you covered!
https://raw.githubusercontent.com/m4ll0k/Bug-Bounty-Toolz/master/getrelationship.py
Google-Fu
You can Google the:
- Copyright text
- Terms of service text
- Privacy policy text
from a main target to glean related hosts on Google.
IP Address discovery(detailed)
Mxtoolbox: Bulk Domain/IP Lookup Tool
Mxtoolbox can perform bulk lookups for domains and IPs, providing information such as DNS records, MX records, and blacklist status.
Enter a list of domains to get their corresponding IP addresses and other details.
Domaintoipconverter: Bulk Domain to IP Converter
This tool converts multiple domain names into their corresponding IP addresses in bulk.
When provided with a list of target domains, a pentester can use this tool to swiftly acquire their IP addresses for further reconnaissance.
Massdns: A DNS Resolver Utility for Bulk Lookups
Massdns is a high-performance command-line DNS resolver capable of handling large volumes of DNS queries efficiently.
Pentesters can leverage Massdns to resolve large lists of domains to IP addresses, facilitating the identification of target infrastructure.
Googleapps Dig: Online Dig Tool by Google
Google’s online Dig tool provides a web-based interface for performing DNS lookups similar to the dig command.
A pentester can use this tool to manually query DNS records of specific domains, assisting in pinpointing IP addresses and verifying DNS configurations.
Domain Dossier: Investigate Domains and IP Addresses
Domain Dossier provides comprehensive reports on domains and IP addresses, including DNS records, Whois data, and network information.
Pentesters can use this tool to gather a detailed profile on target domains and IPs, aiding in the discovery of potential vulnerabilities.
Bgpview: Search ASN, IPv4/IPv6 or Resource Name
Bgpview allows users to search for Autonomous System Numbers (ASNs), IP addresses, and resource names to obtain detailed information.
Pentesters can input an IP address to find its ASN and associated network details, which is useful for understanding the target’s network topology.
Multiple Domain/IP Tools
Viewdns provides a suite of tools for DNS and IP address lookups, including reverse DNS and Whois lookups.
Pentesters can use tools like "Domain to IP" or "Reverse IP" to find IP addresses associated with domains and vice versa.
Ultratools ipv6Info: Information Related to IPv6 Address
Ultratools offers tools specifically designed for querying and analyzing IPv6 addresses.
Pentesters working with IPv6 environments can use this tool to obtain detailed information about IPv6 addresses.
Whois: Command Line Utility
The whois command retrieves registration details of domains and IP addresses.
A pentester can use whois to discover the registered owner of a domain or IP address, aiding in attribution and further reconnaissance.
ICANN Whois: Whois Service by ICANN
ICANN’s whois service provides detailed registration information for domains.Pentesters can use this service to obtain authoritative Whois information for target domains, helping to map ownership and related entities.
If you are looking for subdomain enumeration Please view the full guide here
Email discovery for a target
1. Hunter: Email Search for a Domain
Hunter allows you to find all email addresses associated with a particular domain. This is useful in a pentest for gathering potential targets for phishing or other social engineering attacks.
-
Go to Hunter.io
-
Enter the domain of the target company in the search bar.
-
Hunter will provide a list of email addresses associated with that domain, along with their sources and the confidence score of the email address being correct.
2. Skrapp: Browser Addon to Find Emails on LinkedIn
Skrapp is a browser extension that helps you find and extract email addresses from LinkedIn profiles. This is particularly useful for gathering information on employees of a target company.
-
Install the Skrapp extension from the Chrome Web Store.
-
Log in to your LinkedIn account and visit the profile of a target individual.
-
Click on the Skrapp icon in the browser toolbar to extract the email address.
[Skrapp Chrome Extension](Skrapp Chrome Extension)
3. Email Extractor: Chrome Extension to Extract Emails from Web Pages
Email Extractor is a Chrome extension that automatically extracts email addresses from the web pages you visit. This can be helpful for finding contact information on various pages of a target's website.
-
Install the Email Extractor extension from the Chrome Web Store.
-
Browse the target company's website.
-
The extension will automatically detect and list all email addresses found on each page you visit.
Email Extractor Chrome Extension
4. Convertcsv: Online Tool to Extract Email Addresses in Text, Web Pages, Data Files, etc.
Convertcsv.com provides tools to extract email addresses from various formats such as text files, web pages, and other data files. This is useful for processing large volumes of data to find email addresses.
-
Upload a file or paste text containing potential email addresses.
-
The tool will process the data and list all email addresses found.
Convertcsv.com Email Extractor
5. linkedin2username: OSINT Tool: Generate Username Lists for Companies on LinkedIn
linkedin2username is an OSINT tool that generates username lists based on employees' names from LinkedIn. These lists can be used to guess email addresses following common email formats (e.g., [email protected]).
-
Clone the repository from GitHub:
git clone https://github.com/initstring/linkedin2username -
Run the tool using Python:
python linkedin2username.py -c "Target Company" -
The tool will generate a list of possible usernames.
linkedin2username GitHub Repository
6. Office365UserEnum: Enumerate Valid Usernames from Office 365 Using ActiveSync
Office365UserEnum is a tool that enumerates valid usernames from Office 365 by leveraging the ActiveSync protocol. This can be useful to confirm which email addresses are valid for a domain.
-
Clone the repository from GitHub:
git clone https://github.com/Ridter/Office365UserEnum -
Use the tool with the following command:
python office365userenum.py -u username_list.txt -p password -d target_domain.com -
The tool will attempt to enumerate valid usernames.