Perimeter
DNS
$ nslookup example.com
Subdomains & AXFR
AS details
$
whois example.com
$
whois 127.0.0.1
Check for DNS Amplification
CMS, Stack, Vulns
WhatWeb, Wappalyzer
Shodan / Censys / SecurityTrails
Google Dorks
/robots.txt
/sitemap.xml
Autonomous Systems
Info via IP
dig:
$ dig $(dig -x 127.0.0.1 | grep PTR | tail -n 1 | grep -Eo '[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}').origin.asn.cymru.com TXT +short
whois:
$ whois -h whois.cymru.com -- '-v 127.0.0.1'
$ whois -h whois.radb.net 127.0.0.1
Info via ASN
whois:
$ whois -h whois.cymru.com -- '-v AS48666'
$ whois -h whois.radb.net AS48666
Search AS
Map IP addresses to AS by origin
and netname
ignoring potentionally unwanted netname
values by keywords:
#!/bin/bash
# Usage: whois.sh ip_list.txt
for ip in `cat $1`; do
WHOIS=`whois $ip`
ASNUM=`echo $WHOIS | grep -i "origin:" | tr -d ' ' | cut -d ":" -f 2 | tr $'\n' ','`
NETNAME=`echo $WHOIS | grep -i "netname:" | tr -d ' ' | cut -d ":" -f 2`
if ! echo "$NETNAME" | grep -iqF -e pppoe -e ipoe; then
echo "$ASNUM,$NETNAME,$ip"
fi
done
One-liner providing the input from DivideAndScan:
$ for i in `das -db corp scan -ports all -show -raw | sort -u`; do whois $i | grep -e org-name: -e netname: -e route: -e origin:; echo ---; done
Using ansmap:
$ asnmap -i `das -db corp scan -ports all -show -raw | sort -u | sed -z 's/\n/,/g;s/,$/\n/'` -silent
$ asnmap -d `cat domains.txt | sed -z 's/\n/,/g;s/,$/\n/'` -silent
Difference between as-name, aut-num, origin, netname, etc. may be found on RIPE.
Last updated