Conducting preliminary reconnaissance is one of the most critical processes in penetration testing. Without it, it is impossible to move forward.
In many cases, hosts and domain names of companies do not include the actual company name. Therefore finding this data can be hard and time-consuming. To get this data, pentesters utilize standard methods such as ASN or scope information (e.g., bug bounty ToE or IP block).
There are many methods like DNS brute force, finding subdomains, or exploring IP ranges of target and each IPv4 host. Services like Spyse allow you to retrieve this data quicker, faster and manual.
One of the best cases demonstrating the value of this information is the ability to see under-the-hood relationships of different organizations. With some research, you’ll notice that many companies seemingly compete with each other while figuratively being branches of the same tree. Many businesses are sub-divisions of prominent corporations, who can create “fake wars” that generate more profit. This kind of information is precious to business analysts for many reasons. There are also cases when attackers seek vulnerabilities in one company to get access to another, seeing as they’re all connected under one hood.
For example, the company AVIS.com has most of its subdomains on AS16625. Budget.com is located on the same AS.
By looking at SOA records, you’ll see that both companies share the same hostmaster – [email protected].
To investigate and learn more about these two companies and find how they’re connected, you’d have to obtain all the AS numbers of AVIS and Budget, then filter the results and compare them. Doing this will quickly show you the relationship between these two groups.
One technique that can be used for a similar investigation and research would be checking the organizational field in an SSL Certificate, which is shared by multiple domains.
Also, a similar type of search can be achieved using some services like the aforementioned one. You can do it both manually and also use the automatic option. You could even go as far as to write your own small script that could tap into the database and save you a lot of time. The script can perform the following functions:
- Use the API of the service you choose to search the organization string matching for example ‘Snapchat Inc.’
- Parse the Common Name and Alternative Names from the SSL Certificate response
- Perform a DNS lookup for each name found
This helps significantly speed up the process of obtaining this information. Toolsets like these can be used to better understand and get better access to information on how all of this works, and it can help greatly people who have limited technical knowledge. It can be a useful tool for people who want to go in-depth with their analytics and check the best way how to grow and maintain their business.
