Recon

Discover IP Space

Finding ASNs

https://bgp.he.net/

Here we can see all domains and respective IP adresses hypothetically in scope.

whois

We can use the whois command to find the CIDR notation for tesla.com (the actual domain).

whois -h whois.cymru.com $(dig +short tesla.com)

Running this whois command with a dig command within it will help us make sure that we find the exact IP address of tesla.com.

We need to be wary that we dont actually get the ASN for things like VPS (DigitalOcean, AWS, etc)

Finding subdomains in ASNs using amass

amass intel -org tesla

With this command we can get the ASN, and then we can do a intel command with ASN specified that will give us every single subdomain in that range.

amass intel -asn 394161

ARIN & RIPE

Whois-RWS

WebupdatesRIPE Network Coordination Centre

Shodan

Shodan may bring in some false positives since it will show every organization with "Tesla" in its name.

TLDs, Acquisitions & Relations

BugCrowd University diagram

The diagram above displays how to find different brands and top level domains.

The first we can do is find different acquisitions, where we can see whether there is an attack surface that many other people may not have discovered. Keeping an eye on acquisitions is great, but usually acquisitions are not in scope until 6 months after the acquisition.

After that we can look at related domains. This can be related in things like analytics, whois information, dorks, etc.

Acquisitions

Wikipedia

We can search for Tesla.inc on wikipedia and look for subsidiaries.

Crunchbase

https://www.crunchbase.com/

If it is an open scope, we have all this acquisitions to attack which increases the attack surface significantly.

Owler

https://www.owler.com/company/www.owler.com

AcquiredBy

AcquiredBy | Definitive list of bootstrapped acquisitionsAcquiredBy

Related

ReverseWhois

We can perform a reversewhois with amass and the -d specifyinf the domain we want to search for, and the -whois flag to specify we are doing a reversewhois check.

amass intel -d tesla.com -whois

In green we can see the different domains related to tesla.com.

BuiltWith

BuiltWithBuiltWith

Google Dorks

This wont increase the attack surface, but will show us different places with information about the company and that the company acknowledges as source of information about itself.

Subdomain Enumeration

This tools will return a lot of the same subdomains, so we need to clean the results at the end.

Amass Enum

amass enum -d teslamotors.com

Findomain

./findomain-linux -t teslamotors.com

crtsh script

python3 crtsh_enum.py teslamotors.com

Assetfinder

./assetfinder --subs-only teslamotors.com

subbrute.py

HTTPROBE

Probe for live targets

cat results.txt | httprobe -c 100 > alive.txt

Fingerprinting

Wappalyzer

whatweb

Masscan & Nmap

Find Ports

sudo masscan -p1-65535 $(dig +short tesla.com) --rate 10000

Scan those ports

sudo nmap -sV -p <ports from masscan> tesla.com

WayBack Enumeration

Wayback Machine

Content Discovery

Gobuster

otxurls

waybackurls