top of page

How to find new domains of a Company using tools - Bug Bounty Recon

Updated: Apr 3, 2022

In this post, you will learn how to find new domains of any company using some of the best recon tools.


This tool is written in GO-lang and used for reverse whois lookup. For more info check this here


Above command will fetch all the domains having "Registrant Email" as "". You can even use their Organisation Name or address to find new domains.


Amass is the all-in-one tool that you need for recon because it can do anything like subdomains enumeration, Organisation Lookup, ASN lookup, Reverse DNS, and reverse whois. For more info check this


This command can fetch all ASN's and IP CIDR range of given organization.

amass intel -org 'Sony Corporation of America'

This command can fetch all IP's under any ASN(Autonomous System Number) and if you remove "-ip", it will fetch you domains/subdomains under that ASN.

amass intel -active -asn 3725 -ip

Give the CIDR range of any IP to this command and it will fetch you all domains under that

amass intel -active -cidr

Fetch new domains using ASN and whois with domain

amass intel -asn 3725 -whois -d

For subdomains using ASN and CIDR range:-

amass enum -d -active -cidr, -asn 3725

Never underestimate Amass for its speed!!


Its simple and fast tool for reverse DNS lookup. Check this for more info


Fetch all new domains/subdomains using CIDR in the below command.

prips | ~/go/bin/hakrevdns -d

Censys Python

This is the last tool that I am sharing with you all. Simple to install using pip and it requires Censys API key. For installation follow this


Get SSL certificates hash of main domain which is used by other domains/subdomains of the same company.

censys search "" --index-type certs --max-record 100 | jq -c '.[] | {Certificateshash: ."parsed.fingerprint_sha256"}'

After that, you can fetch domains/subdomains using above SSL certificate hash value

censys search "parsed.fingerprint_sha256: 0585534aff7799bf147c075428d60992771726ce23e7601d6b977857a9e47737" --index-type certs --max-record 100 --fields parsed.names,parsed.fingerprint_sha256parsed.fingerprint_sha256,parsed.subject_dn | jq -c '.[] | {domains: ."parsed.names"}'

That's all for today, follow me here for more interesting posts about recon tips.

2,438 views0 comments

Recent Posts

See All
bottom of page