Domain Information
Online Presence
Source to find more subdomains: crt.sh
Output the results in JSON format
neutron@kali[/kali]$ curl -s https://crt.sh/\?q\=LEGALCORP.com\&output\=json | jq .
[
{
"issuer_ca_id": 23451835427,
"issuer_name": "C=US, O=Let's Encrypt, CN=R3",
"common_name": "matomo.LEGALCORP.com",
"name_value": "matomo.LEGALCORP.com",
"id": 50815783237226155,
"entry_timestamp": "2021-08-21T06:00:17.173",
"not_before": "2021-08-21T05:00:16",
"not_after": "2021-11-19T05:00:15",
"serial_number": "03abe9017d6de5eda90"
},
{ ... SNIP ...
Filtered by the unique subdomains:
neutron@kali[/kali]$ curl -s https://crt.sh/\?q\=LEGALCORP.com\&output\=json | jq . | grep name | cut -d":" -f2 | grep -v "CN=" | cut -d'"' -f2 | awk '{gsub(/\\n/,"\n");}1;' | sort -u
account.ttn.LEGALCORP.com
blog.LEGALCORP.com
bots.LEGALCORP.com
console.ttn.LEGALCORP.com
ct.LEGALCORP.com
data.ttn.LEGALCORP.com
*.LEGALCORP.com
LEGALCORP.com
integrations.ttn.LEGALCORP.com
iot.LEGALCORP.com
Identify the hosts directly accessible from the Internet and not hosted by third-party providers.
neutron@kali[/kali]$ for i in $(cat subdomainlist);do host $i | grep "has address" | grep LEGALCORP.com | cut -d" " -f1,4;done
blog.LEGALCORP.com 10.129.24.93
LEGALCORP.com 10.129.27.33
matomo.LEGALCORP.com 10.129.127.22
www.LEGALCORP.com 10.129.127.33
s3-website-us-west-2.amazonaws.com 10.129.95.250
Generate a list of IP addresses with a minor adjustment to the cut command and run them through Shodan.
Shodan can be used to find devices and systems permanently connected to the Internet like Internet of Things (IoT)
Shodan - IP List
neutron@kali[/kali]$ for i in $(cat subdomainlist);do host $i | grep "has address" | grep LEGALCORP.com | cut -d" " -f4 >> ip-addresses.txt;done
neutron@kali[/kali]$ for i in $(cat ip-addresses.txt);do shodan host $i;done
10.129.24.93
City: Berlin
Country: Germany
Organization: LEGALCORP
Updated: 2021-09-01T09:02:11.370085
Number of open ports: 2
Ports:
80/tcp nginx
443/tcp nginx
10.129.27.33
City: Berlin
Country: Germany
Organization: LEGALCORP
Updated: 2021-08-30T22:25:31.572717
Number of open ports: 3
Ports:
22/tcp OpenSSH (7.6p1 Ubuntu-4ubuntu0.3)
80/tcp nginx
443/tcp nginx
|-- SSL Versions: -SSLv2, -SSLv3, -TLSv1, -TLSv1.1, -TLSv1.3, TLSv1.2
|-- Diffie-Hellman Parameters:
Bits: 2048
Generator: 2
Display all the available DNS records where we might find more hosts.
neutron@kali[/kali]$ dig any LEGALCORP.com
; <<>> DiG 9.16.1-Ubuntu <<>> any LEGALCORP.com
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 52058
;; flags: qr rd ra; QUERY: 1, ANSWER: 17, AUTHORITY: 0, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 65494
;; QUESTION SECTION:
;LEGALCORP.com. IN ANY
;; ANSWER SECTION:
LEGALCORP.com. 300 IN A 10.129.27.33
LEGALCORP.com. 300 IN A 10.129.95.250
LEGALCORP.com. 3600 IN MX 1 aspmx.l.google.com.
LEGALCORP.com. 3600 IN MX 10 aspmx2.googlemail.com.
LEGALCORP.com. 3600 IN MX 10 aspmx3.googlemail.com.
LEGALCORP.com. 3600 IN MX 5 alt1.aspmx.l.google.com.
LEGALCORP.com. 3600 IN MX 5 alt2.aspmx.l.google.com.
LEGALCORP.com. 21600 IN NS ns.inwx.net.
LEGALCORP.com. 21600 IN SOA ns.inwx.net. hostmaster.inwx.net. 2021072600 10800 3600 604800 3600
;; Query time: 332 msec
;; SERVER: 127.0.0.53#53(127.0.0.53)
;; WHEN: Mi Sep 01 18:27:22 CEST 2021
;; MSG SIZE rcvd: 940
Cloud Resources
Google Search for AWS
intext:pdf inurl:amazonaws.com
Google Search for Azure
intext:pdf inurl:blob.core.windows.net
Third-party providers
domain.glass
GrayHatWarfare