Assets Discovery #

At a Glance #

Assets Discovery helps you identify new targets within the scope. These new seeds, or domains, will broader the attack surface and provide a better understanding of the target and its infrastructure.

Acquisitions #

Looking for acquisitions may expand the available assets if they are in scope.

Note: Look for newer acquisitions and verify it they are still valid

ASN Enumeration #

An Autonomous System Number (ASN) is a unique number assigned to an Autonomous System (AS). An Autonomous System is a set of routers, or IP ranges, under a single technical administration.

ASNs are assigned in blocks by Internet Assigned Numbers Authority (IANA) to regional Internet registries (RIRs). The appropriate RIR then assigns ASNs to entities within its designated area from the block assigned by IANA. ¹

Note: These ASN’s will help us picture the entity’s IT infrastructure.

Online Tools #

The most reliable way to get these is manually through Hurricane Electric’s BGP Toolkit:

http://bgp.he.net

Or thought the regional registries services:

Africa: AFRINIC - Regional Internet Registry for Africa
Asia: APNIC - Regional Internet Registry for Asia Pacific
Europe: RIPE
Latin America: LACNIC - Internet Addresses Registry for Latin America and the Caribbean
North America: ARIN - American Registry for Internet Numbers

Note: Because of the advent of cloud infrastructure, ASNs may not provide a complete picture of a network. Assets could also exist on cloud environments like AWS, GCP, and Azure.

Automated Tools #

OWASP Amass Intel #

Amass intel module collects open-source intelligence for the target organization. It allows you to find root domain names associated with it.

amass intel -org <org-name>

amass intel -asn <asn>

Parameters

intel: Discover targets for enumeration.
-org <name>: Search <name> provided against AS description information.
-asn <asn>: IP and ranges separated by commas.

Reverse WHOIS #

A WHOIS domain lookup allows you to trace the ownership of a domain name plus additional information such as expiration date, organization name, emails, addresses, phone numbers.

Reverse WHOIS leverage these registries and allow us to perform lookups based on that additional information.²

Online Tools #

Automated Tools #

DomLink #

Domlink provides a helpful recursive search.

python domlink.py -A <whoxy-api-key> -C <org-name> -o target.out.txt

Whoxy API #

curl --no-progress-meter "https://api.whoxy.com/?key=<whoxy-api-key>&reverse=whois&name=<org-name>" | jq

Tracking Codes #

Many companies share tracking codes across different products. Search for popular services IDs like Google Analytics or Google Adsense.

Online Tools #

Google Dorking #

Search for any company-wide distinctive text like:

"© 2006-2020 Company, Corp." -site:*.domain.com inurl:company

Note:

Other search engines, like Bing and DuckDuckGo, offer similar advanced search operators:

Shodan #

Shodan is a search engine for Internet-connected devices. Try filter by organization: org:<org-name> or hostname: hostname: <domain>.

Note: Shodan usually offers a $5 lifetime membership during Black Friday.

“RFC 1930 - Guidelines for Creation, Selection, and Registration of an Autonomous System (AS).” IETF Tools, https://tools.ietf.org/html/rfc1930#section-3. ↩︎
“RFC 1834 - Whois and Network Information Lookup Service, Whois++.” IETF Tools, https://tools.ietf.org/html/rfc1834. ↩︎