home..

Enumerating a digital footprint

May 2019 (259 Words, 2 Minutes)

bug-bounty security infosec enumeration python

Enumerating a digital footprint

Connect with me on twitter: https://twitter.com/@initroott

Quick intro to enumerating a specific target’s digital footprint. I take no responsibility for your use of the below, please always have permission before you engage a specific target.

The below walkthrough explains a simple enumeration of a domain. For this we’ll focus on Tesla.

The basics

For this specific target we can assume that our main target is Tesla.com.

Enumeration, specifically domain enumeration can be performed in several ways. I really like the article of Patrik Hudak, refer here https://0xpatrik.com/asset-discovery/.

The two important notes here are vertical and horizontal enumeration. A picture speaks a thousand words.

Copied directly from Pat’s blog.

Vertical domain enumeration is all about understanding the sub-domain space given to each horizontal domain. As you can see once you start enumerating both vertically and horizontally your domain footprint will grow exponentially.

Let’s proceed with looking at our target from a vertical perspective.

[1] Vertical enumeration

I prefer using the Sublist3r tool for vertical DNS enumeration. A simple command line for automating the vertical enumeration.

sublist3r -d tesla.com -o /root/Tools/Sublister/

gistfile1.txt view raw

The above command will output all domain names into an output list. The simple above scan gives us good couple of targets to enumerate.

[2] Horizontal enumeration

We now need to start identifying some targets for horizontal enumeration. Simply put, I prefer using the WHOIS information. Ultimately we target the reverse WHOIS information. ViewDNS has a great tool. I usually do two searches.

A simple bash one-liner to extract a domain’s organisation can be run.

whois tesla.com | grep "Registrant Organization" | sed "s:Organization::" | grep -o -m 1 -P "(?<=: ).*"

greporg view raw

As you can see we have a simple output for adobe.com that provides us with the organisation name. On https://viewdns.info/reversewhois/?q=Adobe+Inc will provide us with a good output of around 20 horizontal domain names.

I then proceed searching the domain name using the same viewdns. Once I have a good list of domains I then start with the vertical enumeration all over again for each horizontal domain.

Automating?

I’ve automated the enumeration steps using my own script. The script is available on github, https://github.com/InitRoot/fransRecon

Feel free to make suggestions. I would advise running it with a VPN or through a proxy as Sublist3r can be noisy for enumeration.

© 2023 Frans Botes   •  Powered by Soopr   •  Theme  Moonwalk