Once you have an understanding of the IP addresses, net blocks and technology in use by an organization you can move onto the scanning and service discovery phases of an assessment.
Perform a deep dive against a domain, gathering related hosts and technologies in use without sending any packets against the target system.
Membership is required for access to all features, including passive discovery of host names, hosting services, HTTP servers, DNS servers and mail servers. Immediate access is available to new members or login now if you already have an account.
- Discover the Internet footprint of an organization.
- Find forgotten and unmanaged servers that may not be adequately secured.
- Perform competitor analysis of a company, to understand its Internet technology and hosting providers.
- Correlation of Open Source Intelligence (OSINT) data is used for this automated analysis.
Understanding the Domain Profiler Analysis
This tool extensively uses the various API's that HackerTarget.com makes available. It collects standard DNS records through regular DNS lookups, these include the Domain Servers (NS Records) and the Mail Servers (MX Records). The list of sub-domains are gathered through the host record search API. The various API's use data from scans.io as well as Shodan, Maxmind, Netcraft, Bing, Google and other search engines.
A number of well known projects provide a wealth of Open Source Intelligence on DNS records, host names, web servers and other Internet wide scan data. Through analysis of these data sources it is possible to get a detailed understanding of an organizations Internet footprint and technologies in use without actually sending any probes directly against the target organization.
Useful OSINT Tools, Resources and Data Sources
Shodan - The Search Engine for the Internet of Things, find everything from Printers to Power Stations with this Internet Wide Scanning Resource.
scans.io - A excellent collection of open scan data and DNS resources sponsored by Rapid7 and the University of Michigan.
Recon-NG - A tool for collecting Open Source Intelligence from various resources and search engines.
Passive OSINT Analysis of the Network Attack Surface - An article of ours that gives an overview of the discovery of the attack surface of an organization.
IP Tools - another resource of ours, a collection of DNS and IP Tools that enable target reconnaissance.