Recon

Discover IP Space
Finding ASNs

Here we can see all domains and respective IP adresses hypothetically in scope.
whois
We can use the whois
command to find the CIDR notation for tesla.com
(the actual domain).
whois -h whois.cymru.com $(dig +short tesla.com)
Running this whois command with a dig command within it will help us make sure that we find the exact IP address of tesla.com
.

We need to be wary that we dont actually get the ASN for things like VPS (DigitalOcean, AWS, etc)
Finding subdomains in ASNs using amass
amass intel -org tesla

With this command we can get the ASN, and then we can do a intel command with ASN specified that will give us every single subdomain in that range.
amass intel -asn 394161

ARIN & RIPE


Shodan

Shodan may bring in some false positives since it will show every organization with "Tesla" in its name.
TLDs, Acquisitions & Relations

The diagram above displays how to find different brands and top level domains.
The first we can do is find different acquisitions, where we can see whether there is an attack surface that many other people may not have discovered. Keeping an eye on acquisitions is great, but usually acquisitions are not in scope until 6 months after the acquisition.
After that we can look at related domains. This can be related in things like analytics, whois information, dorks, etc.
Acquisitions
Wikipedia
We can search for Tesla.inc on wikipedia and look for subsidiaries.

Crunchbase

If it is an open scope, we have all this acquisitions to attack which increases the attack surface significantly.
Owler

AcquiredBy

Related
ReverseWhois
We can perform a reversewhois with amass and the -d
specifyinf the domain we want to search for, and the -whois
flag to specify we are doing a reversewhois check.
amass intel -d tesla.com -whois

In green we can see the different domains related to tesla.com
.
BuiltWith

Google Dorks

This wont increase the attack surface, but will show us different places with information about the company and that the company acknowledges as source of information about itself.
Subdomain Enumeration
This tools will return a lot of the same subdomains, so we need to clean the results at the end.
Amass Enum
amass enum -d teslamotors.com

Findomain
./findomain-linux -t teslamotors.com

crtsh script
python3 crtsh_enum.py teslamotors.com

Assetfinder
./assetfinder --subs-only teslamotors.com

subbrute.py

HTTPROBE
Probe for live targets
cat results.txt | httprobe -c 100 > alive.txt

Fingerprinting
Wappalyzer

whatweb

Masscan & Nmap
Find Ports
sudo masscan -p1-65535 $(dig +short tesla.com) --rate 10000
Scan those ports
sudo nmap -sV -p <ports from masscan> tesla.com
WayBack Enumeration

Content Discovery
Gobuster

otxurls

waybackurls

Last updated
Was this helpful?