Domain Information

Online Presence:

• SSL certificates.

• IOT devices.

• DNS records.

crt.sh | Certificate Searchcrt.sh

Certificate Transparency logs

Download the SSL certificates logs:

$ curl -s https://crt.sh/\?q\=domainname.com\&output\=json | jq .

Filtering the output:

Filter by unique subdomains:

$ curl -s https://crt.sh/\?q\=domainname.com\&output\=json | jq . | grep name | cut -d":" -f2 | grep -v "CN=" | cut -d'"' -f2 | awk '{gsub(/\\n/,"\n");}1;' | sort -u

Filter by company-hosted servers:

$ for i in $(cat subdomainlist);do host $i | grep "has address" | grep inlanefreight.com | cut -d" " -f1,4;done

Finding IOT Devices:

$ for i in $(cat subdomainlist);do host $i | grep "has address" | grep inlanefreight.com | cut -d" " -f4 >> ip-addresses.txt;done
$ for i in $(cat ip-addresses.txt);do shodan host $i;done

DNS records:

$ dig any domain.com

• A Records: Maps a domain name to IPV4 Address:

domain.com IN A 192.0.2.1

• PTR Records: Maps an IPV4 Address to a domain name: 1.2.3.4.in-addr.arpa. IN PTR example.com

• MX Records: Points to the mail server responsible for forwarding mail on behalf of a domain. (Mail Exchange) example.com. IN MX 10 mail.example.com.

• NS Records: responsible for providing DNS information for the domain "example.com". example.com IN NS ns1.example.com

• TXT Records: often contains verification keys for different third-party providers and other security aspects of DNS. example.com IN TXT "v=spf1 mx -all"