Recon
Last updated
Was this helpful?
Last updated
Was this helpful?
Here we can see all domains and respective IP adresses hypothetically in scope.
We can use the whois
command to find the CIDR notation for tesla.com
(the actual domain).
whois -h whois.cymru.com $(dig +short tesla.com)
Running this whois command with a dig command within it will help us make sure that we find the exact IP address of tesla.com
.
We need to be wary that we dont actually get the ASN for things like VPS (DigitalOcean, AWS, etc)
amass intel -org tesla
With this command we can get the ASN, and then we can do a intel command with ASN specified that will give us every single subdomain in that range.
amass intel -asn 394161
Shodan may bring in some false positives since it will show every organization with "Tesla" in its name.
The diagram above displays how to find different brands and top level domains.
The first we can do is find different acquisitions, where we can see whether there is an attack surface that many other people may not have discovered. Keeping an eye on acquisitions is great, but usually acquisitions are not in scope until 6 months after the acquisition.
After that we can look at related domains. This can be related in things like analytics, whois information, dorks, etc.
We can search for Tesla.inc on wikipedia and look for subsidiaries.
If it is an open scope, we have all this acquisitions to attack which increases the attack surface significantly.
We can perform a reversewhois with amass and the -d
specifyinf the domain we want to search for, and the -whois
flag to specify we are doing a reversewhois check.
amass intel -d tesla.com -whois
In green we can see the different domains related to tesla.com
.
This wont increase the attack surface, but will show us different places with information about the company and that the company acknowledges as source of information about itself.
This tools will return a lot of the same subdomains, so we need to clean the results at the end.
amass enum -d teslamotors.com
./findomain-linux -t teslamotors.com
python3 crtsh_enum.py teslamotors.com
./assetfinder --subs-only teslamotors.com
Probe for live targets
cat results.txt | httprobe -c 100 > alive.txt
Find Ports
sudo masscan -p1-65535 $(dig +short tesla.com) --rate 10000
Scan those ports
sudo nmap -sV -p <ports from masscan> tesla.com