top of page

How to find new domains of a Company using tools - Bug Bounty Recon

Updated: Apr 3, 2022

In this post, you will learn how to find new domains of any company using some of the best recon tools.


knockknock

This tool is written in GO-lang and used for reverse whois lookup. For more info check this here https://github.com/harleo/knockknock

Usage:-

Above command will fetch all the domains having "Registrant Email" as "hostmaster@sony.com". You can even use their Organisation Name or address to find new domains.


Amass

Amass is the all-in-one tool that you need for recon because it can do anything like subdomains enumeration, Organisation Lookup, ASN lookup, Reverse DNS, and reverse whois. For more info check this https://github.com/OWASP/Amass/

Usage:-

This command can fetch all ASN's and IP CIDR range of given organization.

amass intel -org 'Sony Corporation of America'

This command can fetch all IP's under any ASN(Autonomous System Number) and if you remove "-ip", it will fetch you domains/subdomains under that ASN.

amass intel -active -asn 3725 -ip

Give the CIDR range of any IP to this command and it will fetch you all domains under that

amass intel -active -cidr 160.33.96.0/23

Fetch new domains using ASN and whois with domain

amass intel -asn 3725 -whois -d sony.com

For subdomains using ASN and CIDR range:-

amass enum -d sony.com -active -cidr 160.33.99.0/24,160.33.96.0/23 -asn 3725

Never underestimate Amass for its speed!!


hakrevdns

Its simple and fast tool for reverse DNS lookup. Check this for more info https://github.com/hakluke/hakrevdns

Usage:-

Fetch all new domains/subdomains using CIDR in the below command.

prips 160.33.96.0/23 | ~/go/bin/hakrevdns -d

Censys Python

This is the last tool that I am sharing with you all. Simple to install using pip and it requires Censys API key. For installation follow this

Usage:-

Get SSL certificates hash of main domain which is used by other domains/subdomains of the same company.

censys search "sony.com" --index-type certs --max-record 100 | jq -c '.[] | {Certificateshash: ."parsed.fingerprint_sha256"}'

After that, you can fetch domains/subdomains using above SSL certificate hash value

censys search "parsed.fingerprint_sha256: 0585534aff7799bf147c075428d60992771726ce23e7601d6b977857a9e47737" --index-type certs --max-record 100 --fields parsed.names,parsed.fingerprint_sha256parsed.fingerprint_sha256,parsed.subject_dn | jq -c '.[] | {domains: ."parsed.names"}'

That's all for today, follow me here for more interesting posts about recon tips.



2,277 views0 comments

Recent Posts

See All
bottom of page