Recon
Discover IP Space
Finding ASNs
Here we can see all domains and respective IP adresses hypothetically in scope.
whois
We can use the whois
command to find the CIDR notation for tesla.com
(the actual domain).
whois -h whois.cymru.com $(dig +short tesla.com)
Running this whois command with a dig command within it will help us make sure that we find the exact IP address of tesla.com
.
We need to be wary that we dont actually get the ASN for things like VPS (DigitalOcean, AWS, etc)
Finding subdomains in ASNs using amass
amass intel -org tesla
With this command we can get the ASN, and then we can do a intel command with ASN specified that will give us every single subdomain in that range.
amass intel -asn 394161
ARIN & RIPE
Shodan
Shodan may bring in some false positives since it will show every organization with "Tesla" in its name.
TLDs, Acquisitions & Relations
The diagram above displays how to find different brands and top level domains.
The first we can do is find different acquisitions, where we can see whether there is an attack surface that many other people may not have discovered. Keeping an eye on acquisitions is great, but usually acquisitions are not in scope until 6 months after the acquisition.
After that we can look at related domains. This can be related in things like analytics, whois information, dorks, etc.
Acquisitions
Wikipedia
We can search for Tesla.inc on wikipedia and look for subsidiaries.
Crunchbase
If it is an open scope, we have all this acquisitions to attack which increases the attack surface significantly.
Owler
AcquiredBy
Related
ReverseWhois
We can perform a reversewhois with amass and the -d
specifyinf the domain we want to search for, and the -whois
flag to specify we are doing a reversewhois check.
amass intel -d tesla.com -whois
In green we can see the different domains related to tesla.com
.
BuiltWith
Google Dorks
This wont increase the attack surface, but will show us different places with information about the company and that the company acknowledges as source of information about itself.
Subdomain Enumeration
This tools will return a lot of the same subdomains, so we need to clean the results at the end.
Amass Enum
amass enum -d teslamotors.com
Findomain
./findomain-linux -t teslamotors.com
crtsh script
python3 crtsh_enum.py teslamotors.com
Assetfinder
./assetfinder --subs-only teslamotors.com
subbrute.py
HTTPROBE
Probe for live targets
cat results.txt | httprobe -c 100 > alive.txt
Fingerprinting
Wappalyzer
whatweb
Masscan & Nmap
Find Ports
sudo masscan -p1-65535 $(dig +short tesla.com) --rate 10000
Scan those ports
sudo nmap -sV -p <ports from masscan> tesla.com
WayBack Enumeration
Content Discovery
Gobuster
otxurls
waybackurls
Last updated