How to find new domains of a Company using tools - Bug Bounty Recon

Updated: Apr 3

In this post, you will learn how to find new domains of any company using some of the best recon tools.


knockknock

This tool is written in GO-lang and used for reverse whois lookup. For more info check this here https://github.com/harleo/knockknock

Usage:-

Above command will fetch all the domains having "Registrant Email" as "hostmaster@sony.com". You can even use their Organisation Name or address to find new domains.


Amass

Amass is the all-in-one tool that you need for recon because it can do anything like subdomains enumeration, Organisation Lookup, ASN lookup, Reverse DNS, and reverse whois. For more info check this https://github.com/OWASP/Amass/

Usage:-

This command can fetch all ASN's and IP CIDR range of given organization.

amass intel -org 'Sony Corporation of America'

This command can fetch all IP's under any ASN(Autonomous System Number) and if you remove "-ip", it will fetch you domains/subdomains under that ASN.

amass intel -active -asn 3725 -ip

Give the CIDR range of any IP to this command and it will fetch you all domains under that

amass intel -active -cidr 160.33.96.0/23

Fetch new domains using ASN and whois with domain

amass intel -asn 3725 -whois -d sony.com

For subdomains using ASN and CIDR range:-

amass enum -d sony.com -active -cidr 160.33.99.0/24,160.33.96.0/23 -asn 3725

Never underestimate Amass for its speed!!


hakrevdns

Its simple and fast tool for reverse DNS lookup. Check this for more info https://github.com/hakluke/hakrevdns

Usage:-

Fetch all new domains/subdomains using CIDR in the below command.

prips 160.33.96.0/23 | ~/go/bin/hakrevdns -d

Censys Python

This is the last tool that I am sharing with you all. Simple to install using pip and it requires Censys API key. For installation follow this

Usage:-

Get SSL certificates hash of main domain which is used by other domains/subdomains of the same company.

censys search "sony.com" --index-type certs --max-record 100 | jq -c '.[] | {Certificateshash: ."parsed.fingerprint_sha256"}'

After that, you can fetch domains/subdomains using above SSL certificate hash value

censys search "parsed.fingerprint_sha256: 0585534aff7799bf147c075428d60992771726ce23e7601d6b977857a9e47737" --index-type certs --max-record 100 --fields parsed.names,parsed.fingerprint_sha256parsed.fingerprint_sha256,parsed.subject_dn | jq -c '.[] | {domains: ."parsed.names"}'

That's all for today, follow me here for more interesting posts about recon tips.



2,130 views0 comments