🛡️ Methodology Checklist
- WHOIS lookup:
whois [DOMAIN]— note registrar, contacts, DNS servers - ASN and netblock lookup:
bgp.he.net,whois -h whois.radb.net - Shodan search:
ssl.cert.subject.CN:[DOMAIN] http.title:"" - Google dorks:
site:[DOMAIN] -www,inurl:login site:[DOMAIN] - LinkedIn/job postings for tech stack and team info
- Check for leaked documents:
site:[DOMAIN] filetype:pdf OR xls - Identify subsidiaries and M&A targets
🎯 Operational Context
Think Dumber First: WHOIS, crt.sh, and Shodan take 5 minutes and reveal nameservers, registrar contacts, IP ranges, and sometimes internal email addresses — all passively, with zero footprint on target. This data feeds directly into later attacks: registrar contact → social engineering, IP range → expanded scanning scope, email addresses → phishing/spraying.
When you land here: New target domain. Run full passive sweep before any active enumeration. Collect: WHOIS data, NS records, MX records, SSL cert SANs, Shodan indexed services, Google-dorked documents, LinkedIn employee list. Store all findings in organized notes.
⚡ Tactical Cheatsheet
| Command | Tactical Outcome |
|---|---|
curl -s "https://crt.sh/?q=[DOMAIN]&output=json" | jq . | grep name | cut -d":" -f2 | grep -v "CN=" | cut -d'"' -f2 | awk '{gsub(/\\n/,"\n");}1;' | sort -u | Extract unique subdomains from Certificate Transparency logs |
host [SUBDOMAIN] | Resolve subdomain to IP for self-hosted vs. third-party detection |
for i in $(cat ip-addresses.txt);do shodan host $i;done | Shodan passive scan of identified IPs |
dig ns [DOMAIN] @[TARGET_IP] | Identify authoritative nameservers |
dig any [DOMAIN] @[TARGET_IP] | Query all available DNS records |
dig axfr [DOMAIN] @[TARGET_IP] | Zone transfer — dump entire zone file |
🔬 Deep Dive & Workflow
Core Concept
Domain Information gathering is a passive phase — analyzing internet presence without active scanning. Goal: understand the company’s functionality, technologies, and structure from a developer’s perspective.
Mindset: “What technical aspects are necessary to provide this service?“
1. SSL/TLS Certificate Transparency
Certificates issued for subdomains are publicly logged. Search these logs to find subdomains created in the past (even if retired).
- Source: crt.sh — public CT log browser.
2. Host & IP Identification
After finding subdomains, determine which are self-hosted vs. cloud-hosted (AWS, Cloudflare, etc.):
host [subdomain]— resolve to IP.- Shodan — passively check open ports and banners on identified IPs.
3. DNS Record Analysis
| Record | Description | Pentest Value |
|---|---|---|
| A | IPv4 address | Identifies hosting server |
| MX | Mail exchange | Identifies email provider |
| NS | Nameserver | Identifies hosting provider |
| TXT | Text records | Critical — reveals third-party services |
TXT Records as a Tech-Stack Blueprint
| TXT Content | Inference | Attack Vector |
|---|---|---|
| Atlassian | Dev/collaboration stack | Check Jira/Confluence for public issues |
| Google/Outlook | Email/docs management | Check public GDrive/OneDrive/Azure Blob |
| LogMeIn | Remote access management | Centralized admin access point |
| Mailgun | Email automation | API vulnerabilities (IDOR, SSRF) |
MS=ms9... verification codes | Can reveal usernames/account IDs | Hosting provider enumeration |
🛠️ Troubleshooting & Edge Cases
| Problem | Cause | Fix |
|---|---|---|
| WHOIS returns ‘Registrant information not available’ | Privacy protection service in use | Try whois on the NS server IPs themselves; check ARIN/RIPE for ASN registration; use ViewDNS.info for historical data |
| Shodan search returns no results | Domain not indexed or wrong query | Search by IP range instead: org:[COMPANY]; try ssl.cert.subject.cn:[DOMAIN]; note Shodan requires free account for most queries |
| Google dork results paywalled or require login | Google restricts automated dork queries | Use site: queries manually in browser; try Bing or DuckDuckGo for same dork patterns |
| LinkedIn employee list incomplete | LinkedIn requires login for full results | Use theHarvester -d [DOMAIN] -b linkedin; try intelx.io or hunter.io for email format guessing |
| IP range discovered but out of scope | ASN covers more than the target | Verify scope with client; document IP range for reference but do not scan out-of-scope assets |
📝 Reporting Trigger
Finding Title: Excessive Domain Information Exposure via Public Records Impact: Registrant contacts, IP ranges, internal email formats, and technology stack exposed through public records — enabling targeted social engineering and reconnaissance with no network interaction. Root Cause: Domain registered without privacy protection. Company information publicly associated with technical infrastructure through WHOIS, crt.sh, and Shodan. Recommendation: Enable WHOIS privacy protection via registrar. Avoid using corporate email addresses as registrant contacts. Use generic technical contacts for domain registration. Audit Shodan exposure and request removal of sensitive indexed data.