Assets Discovery

Assets Discovery

At a Glance

Assets Discovery helps you identify new targets within the scope. These new seeds, or domains, will broader the attack surface and provide a better understanding of the target and its infrastructure.

Acquisitions

Looking for acquisitions may expand the available assets if they are in scope.

Note: Look for newer acquisitions and verify it they are still valid

ASN Enumeration

An Autonomous System Number (ASN) is a unique number assigned to an Autonomous System (AS). An Autonomous System is a set of routers, or IP ranges, under a single technical administration.

ASNs are assigned in blocks by Internet Assigned Numbers Authority (IANA) to regional Internet registries (RIRs). The appropriate RIR then assigns ASNs to entities within its designated area from the block assigned by IANA. 1

Note: These ASN’s will help us picture the entity’s IT infrastructure.

Online Tools

The most reliable way to get these is manually through Hurricane Electric’s BGP Toolkit:

Or thought the regional registries services:

Note: Because of the advent of cloud infrastructure, ASNs may not provide a complete picture of a network. Assets could also exist on cloud environments like AWS, GCP, and Azure.

Automated Tools

OWASP Amass Intel

Amass intel module collects open-source intelligence for the target organization. It allows you to find root domain names associated with it.

amass intel -org <org-name>
amass intel -asn <asn>
Parameters
  • intel: Discover targets for enumeration.
  • -org <name>: Search <name> provided against AS description information.
  • -asn <asn>: IP and ranges separated by commas.

Reverse WHOIS

A WHOIS domain lookup allows you to trace the ownership of a domain name plus additional information such as expiration date, organization name, emails, addresses, phone numbers.

Reverse WHOIS leverage these registries and allow us to perform lookups based on that additional information.2

Online Tools

Automated Tools

Domlink provides a helpful recursive search.

python domlink.py -A <whoxy-api-key> -C <org-name> -o target.out.txt

Whoxy API

curl --no-progress-meter "https://api.whoxy.com/?key=<whoxy-api-key>&reverse=whois&name=<org-name>" | jq

Tracking Codes

Many companies share tracking codes across different products. Search for popular services IDs like Google Analytics or Google Adsense.

Online Tools

Google Dorking

Search for any company-wide distinctive text like:

  • Copyright text
  • Terms of service text
  • Privacy Policy text
"© 2006-2020 Company, Corp." -site:*.domain.com inurl:company

Note: Other search engines, like Bing and DuckDuckGo, offer similar advanced search operators:

Shodan

Shodan is a search engine for Internet-connected devices. Try filter by organization: org:<org-name> or hostname: hostname: <domain>.

Note: Shodan usually offers a $5 lifetime membership during Black Friday.


  1. “RFC 1930 - Guidelines for Creation, Selection, and Registration of an Autonomous System (AS).” IETF Tools, https://tools.ietf.org/html/rfc1930#section-3. ↩︎

  2. “RFC 1834 - Whois and Network Information Lookup Service, Whois++.” IETF Tools, https://tools.ietf.org/html/rfc1834. ↩︎