In this post, you will learn how to find new domains of any company using some of the best recon tools.
knockknock
This tool is written in GO-lang and used for reverse whois lookup. For more info check this here https://github.com/harleo/knockknock
Usage:-
Above command will fetch all the domains having "Registrant Email" as "hostmaster@sony.com". You can even use their Organisation Name or address to find new domains.
Amass
Amass is the all-in-one tool that you need for recon because it can do anything like subdomains enumeration, Organisation Lookup, ASN lookup, Reverse DNS, and reverse whois. For more info check this https://github.com/OWASP/Amass/
Usage:-
This command can fetch all ASN's and IP CIDR range of given organization.
amass intel -org 'Sony Corporation of America'
This command can fetch all IP's under any ASN(Autonomous System Number) and if you remove "-ip", it will fetch you domains/subdomains under that ASN.
amass intel -active -asn 3725 -ip
Give the CIDR range of any IP to this command and it will fetch you all domains under that
amass intel -active -cidr 160.33.96.0/23
Fetch new domains using ASN and whois with domain
amass intel -asn 3725 -whois -d sony.com
For subdomains using ASN and CIDR range:-
amass enum -d sony.com -active -cidr 160.33.99.0/24,160.33.96.0/23 -asn 3725
Never underestimate Amass for its speed!!
hakrevdns
Its simple and fast tool for reverse DNS lookup. Check this for more info https://github.com/hakluke/hakrevdns
Usage:-
Fetch all new domains/subdomains using CIDR in the below command.
prips 160.33.96.0/23 | ~/go/bin/hakrevdns -d
Censys Python
This is the last tool that I am sharing with you all. Simple to install using pip and it requires Censys API key. For installation follow this
Usage:-
Get SSL certificates hash of main domain which is used by other domains/subdomains of the same company.
censys search "sony.com" --index-type certs --max-record 100 | jq -c '.[] | {Certificateshash: ."parsed.fingerprint_sha256"}'
After that, you can fetch domains/subdomains using above SSL certificate hash value
censys search "parsed.fingerprint_sha256: 0585534aff7799bf147c075428d60992771726ce23e7601d6b977857a9e47737" --index-type certs --max-record 100 --fields parsed.names,parsed.fingerprint_sha256parsed.fingerprint_sha256,parsed.subject_dn | jq -c '.[] | {domains: ."parsed.names"}'
That's all for today, follow me here for more interesting posts about recon tips.
