Domain Information
(Infrastructure Based Enumeration)
This type of information is gathered passively without direct and active scans. In other words, we remain hidden and navigate as "customers" or "visitors" to avoid direct connections to the company that could expose us.
The first thing we should do is scrutinize the company's
main websiteThen, we should read through the texts, keeping in mind what technologies and structures are needed for these services
The first point of presence on the Internet may be the
SSL certificatefrom the company's main website. Often, such a certificate includes more than just a subdomain, and this means that the certificate is used for several domains, and these are most likely still activeAnother source to find more subdomains is crt.sh.
Save output from crt.sh in JSON format
curl -s https://crt.sh/\?q\=inlanefreight.com\&output\=json | jqSort output by name from crt.sh from the JSON format
curl -s https://crt.sh/\?q\=inlanefreight.com\&output\=json | jq . | grep name | cut -d":" -f2 | grep -v "CN=" | cut -d'"' -f2 | awk '{gsub(/\\n/,"\n");}1;' | sort -uNext, we can identify the hosts directly accessible from the Internet and not hosted by third-party providers (This is because we are not allowed to test the hosts without the permission of third-party providers)
Company hosted servers
for i in $(cat subdomainlist);do host $i | grep "has address" | grep inlanefreight.com | cut -d" " -f1,4;done Once we see which hosts can be investigated further, we can generate a list of IP addresses with a minor adjustment to the cut command and run them through Shodan
Shodan - IP list
for i in $(cat subdomainlist);do host $i | grep "has address" | grep inlanefreight.com | cut -d" " -f4 >> ip-addresses.txt;done
for i in $(cat ip-addresses.txt);do shodan host $i;doneNow, we can display all the available DNS records where we might find more hosts.
DNS records
dig any inlanefreight.com(domain name)Last updated