Domain Information

Online Presence:

Logocrt.sh | Certificate Search
Certificate Transparency logs

Download the SSL certificates logs:

$ curl -s https://crt.sh/\?q\=domainname.com\&output\=json | jq .

Filtering the output:

Filter by unique subdomains:

$ curl -s https://crt.sh/\?q\=domainname.com\&output\=json | jq . | grep name | cut -d":" -f2 | grep -v "CN=" | cut -d'"' -f2 | awk '{gsub(/\\n/,"\n");}1;' | sort -u

Filter by company-hosted servers:

$ for i in $(cat subdomainlist);do host $i | grep "has address" | grep inlanefreight.com | cut -d" " -f1,4;done

Finding IOT Devices:

$ for i in $(cat subdomainlist);do host $i | grep "has address" | grep inlanefreight.com | cut -d" " -f4 >> ip-addresses.txt;done
$ for i in $(cat ip-addresses.txt);do shodan host $i;done

DNS records:

$ dig any domain.com

  • A Records: Maps a domain name to IPV4 Address:

domain.com IN A 192.0.2.1

  • PTR Records: Maps an IPV4 Address to a domain name: 1.2.3.4.in-addr.arpa. IN PTR example.com

  • MX Records: Points to the mail server responsible for forwarding mail on behalf of a domain. (Mail Exchange) example.com. IN MX 10 mail.example.com.

  • NS Records: responsible for providing DNS information for the domain "example.com". example.com IN NS ns1.example.com

  • TXT Records: often contains verification keys for different third-party providers and other security aspects of DNS. example.com IN TXT "v=spf1 mx -all"

PreviousInfrastructure-Based EnumrationNextCloud Resources

Last updated