Assets Discovery

Assets Discovery #

At a Glance #

Assets Discovery helps you identify new targets within the scope. These new seeds, or domains, will broader the attack surface and provide a better understanding of the target and its infrastructure.

Acquisitions #

Looking for acquisitions may expand the available assets if they are in scope.

Note: Look for newer acquisitions and verify it they are still valid

ASN Enumeration #

An Autonomous System Number (ASN) is a unique number assigned to an Autonomous System (AS). An Autonomous System is a set of routers, or IP ranges, under a single technical administration.

ASNs are assigned in blocks by Internet Assigned Numbers Authority (IANA) to regional Internet registries (RIRs). The appropriate RIR then assigns ASNs to entities within its designated area from the block assigned by IANA. 1

Note: These ASN’s will help us picture the entity’s IT infrastructure.

Online Tools #

The most reliable way to get these is manually through Hurricane Electric’s BGP Toolkit:

Or thought the regional registries services:

Note: Because of the advent of cloud infrastructure, ASNs may not provide a complete picture of a network. Assets could also exist on cloud environments like AWS, GCP, and Azure.

Automated Tools #

OWASP Amass Intel #

Amass intel module collects open-source intelligence for the target organization. It allows you to find root domain names associated with it.

amass intel -org <org-name>
amass intel -asn <asn>
  • intel: Discover targets for enumeration.
  • -org <name>: Search <name> provided against AS description information.
  • -asn <asn>: IP and ranges separated by commas.

Reverse WHOIS #

A WHOIS domain lookup allows you to trace the ownership of a domain name plus additional information such as expiration date, organization name, emails, addresses, phone numbers.

Reverse WHOIS leverage these registries and allow us to perform lookups based on that additional information.2

Online Tools #

Automated Tools #

Domlink provides a helpful recursive search.

python -A <whoxy-api-key> -C <org-name> -o target.out.txt

Whoxy API #

curl --no-progress-meter "<whoxy-api-key>&reverse=whois&name=<org-name>" | jq

Tracking Codes #

Many companies share tracking codes across different products. Search for popular services IDs like Google Analytics or Google Adsense.

Online Tools #

Google Dorking #

Search for any company-wide distinctive text like:

  • Copyright text
  • Terms of service text
  • Privacy Policy text
"© 2006-2020 Company, Corp." -site:* inurl:company


Other search engines, like Bing and DuckDuckGo, offer similar advanced search operators:

Shodan #

Shodan is a search engine for Internet-connected devices. Try filter by organization: org:<org-name> or hostname: hostname: <domain>.

Note: Shodan usually offers a $5 lifetime membership during Black Friday.

  1. “RFC 1930 - Guidelines for Creation, Selection, and Registration of an Autonomous System (AS).” IETF Tools,↩︎

  2. “RFC 1834 - Whois and Network Information Lookup Service, Whois++.” IETF Tools,↩︎