Domain & IP Enumeration
Domains
A domain, in the context of networking and cybersecurity, is an area of the internet that's controlled by a specific entity or organization. It's most commonly understood as the part of a website's URL that identifies it uniquely on the web. For instance, in the URL "www.example.com," "example.com" is the domain. Domains are organized in a hierarchical structure with top-level domains (TLDs) like ".com", ".org", ".net", etc., at the top, followed by second-level domains (like "example" in "example.com"), and potentially further subdivisions.
Domains are essential for the functioning of the internet, providing human-readable addresses for websites and services. They play a crucial role in cybersecurity, as understanding and managing the domain landscape of an organization is key to securing its digital presence and assets.
DNS and Domain Information
Whois Lookup - Retrieves crucial registration details about a domain, including the owner's contact info, registration date, and registrar.
# Fetch registration details for example.com
whois example.com
Robtex - Provides DNS and network information, including shared hosting and reverse DNS.
MXToolbox - Offers a suite of network diagnostic tools, including DNS checks, MX record lookups, and blacklist checks.
ViewDNS.info - Provides a range of DNS and networking tools, including reverse Whois, IP location, and DNS report.
DNSstuff - Offers a comprehensive set of tools for DNS and network diagnostics, including DNS report, WHOIS lookup, traceroute, and more.
DNSViz - A tool for visualizing the status of a DNS zone. Itβs particularly useful for diagnosing DNSSEC issues but provides a detailed representation of any domain's DNS.
DomainTools - Provides comprehensive information about domains, including current and historical WHOIS records, reverse WHOIS, IP tools, and more.
IntoDNS - Checks the health and configuration of DNS and provides a detailed report of any found problems or issues.
DNSQuery - A suite of tools for querying the DNS and other network diagnostics.
Subdomain Enumeration
Sublist3r - Enumerates subdomains using search engines and various services.
# Enumerates subdomains of example.com
sublist3r -d example.com
# Enumerates subdomains and scans for open ports 80 and 443
sublist3r -d example.com -p 80,443
# Enumerates subdomains using the Bing search engine
sublist3r -d example.com -e Bing
# Saves the enumerated subdomains to output.txt
sublist3r -d example.com -o output.txt
# Runs in verbose mode providing detailed information
sublist3r -v -d example.com
DNSdumpster - Discovers DNS servers, MX records, and subdomains related to a domain.
Amass - Uses a variety of techniques including querying public data sources and passive DNS to enumerate subdomains. While it can perform active scanning, it also has a passive mode that strictly uses external data sources.
# This command runs Amass in passive mode to enumerate subdomains of example.com.
amass enum --passive -d example.com
ThreatCrowd - A search engine for threats, providing data on domains, IPs, and more, including subdomains.
Spyse - Collects data about internet assets, including a comprehensive list of subdomains for a given domain.
Domain Certificate Enumeration
crt.sh - A search engine for certificates, crt.sh lets you look up SSL/TLS certificates issued for a given domain or IP address by querying the public Certificate Transparency logs.
SSL Certificates Chain Checker (SSL Labs) - This tool by Qualys SSL Labs checks the validity and chain of trust of SSL/TLS certificates for a domain.
CertSpotter - CertSpotter monitors Certificate Transparency logs to notify you when new certificates are issued for your domains, helping detect misissued certificates and prevent phishing.
Google's Certificate Transparency - Google's Certificate Transparency project aims to fix structural flaws in the SSL certificate system by providing an open framework for monitoring and auditing SSL certificates.
OpenSSL - is a robust, full-featured open-source toolkit that implements the Secure Sockets Layer (SSL) and Transport Layer Security (TLS) protocols. It can be used for certificate enumeration among other things.
# Connects to the specified domain and retrieves the SSL/TLS certificate.
openssl s_client -showcerts -connect example.com:443
# Retrieves the validity dates of the domain's SSL/TLS certificate.
echo | openssl s_client -connect example.com:443 2>/dev/null | openssl x509 -noout -dates
# Displays the serial number of the domain's certificate.
openssl s_client -connect example.com:443 | openssl x509 -noout -serial
# Shows who issued the domain's SSL/TLS certificate.
openssl s_client -connect example.com:443 | openssl x509 -noout -issuer
# Verifies a certificate (example.pem) against a specific Certificate Authority (ca.pem).
openssl verify -CAfile ca.pem example.pem
Analyzing Digital Footprints
Security Trails - Offers historical data about domains, DNS records, subdomains, and associated IPs.
Wayback Machine - Views archived versions of web pages to understand past content and configurations.
Netcraft Site Report - Provides information on the technology used by a domain, its hosting history, and risk ratings.
BuiltWith - To determine the technology stack of a website, including web servers, frameworks, analytics tools, and more.
Last updated