• Subscribe to the low volume list for updates.

Domain Profiler – Automated DNS Recon

Our Domain Profiler reconnaissance tool finds related sub-domains and hosts for an organization. By utilizing OSINT (Open Source Intelligence Gathering) techniques we can passively discover an organizations Internet footprint.

Once you have an understanding of the IP addresses, net blocks and technology in use by an organization you can move onto the scanning and service discovery phases of an assessment.

Launch Domain Profiler
Login for Access to Domain Profiler Reconnaissance Tool
Perform a deep dive against a domain, gathering related hosts and technologies in use without sending any packets against the target system.

  • Discover the Internet footprint of an organization.
  • Find forgotten and unsecured systems.
  • Perform competitor analysis, with passive reconnaissance.
  • Understand an organisations technology and back-end services.
  • Access to 27 Vulnerability Scanners and OSINT Tools.
  • Submit lists of targets in bulk for analysis.

Immediate access is available to new members or login now if you already have an account.

Here are 4 use cases for the Domain Profiler Tool

Internal Operations Team
Check the results of this analysis against internal asset lists. Quickly find gaps in the assets or forgotten systems. Staff turnover in many organizations can lead to orphaned systems that are Internet facing and no longer maintained. Asset management systems should be aware of these systems, but sometimes they slip through the cracks.
Penetration Testers
The first stage of any penetration testing engagement is to compile open source intelligence into a picture of the target. Using OSINT methods allows a great deal of information to be collected without sending any packets to the target. This is known as passive information gathering.
Business Intelligence
Detailed open source information reveal technologies and third party service providers of an organizations. This can benefit a number of different investigative processes including competitive analysis. The key here is the fact that the information is from open sources, with zero impact to the target.
Bug Bounty Hunters
The passive nature of the information discovery, allows bug hunters (and other attackers) to quickly find systems that may be worth spending time assessing for vulnerabilities. A bounty hunter with a list of programs (domains) can submit a list of targets and watch the results come into their email box, quickly reviewing each to find easy wins.
Know what an attacker can see
Attack Surface Assessment from an OSINT expert. Zero Impact.

Domain Profiler Methodology

This tool extensively uses the various API's that HackerTarget.com makes available. It collects standard DNS records through regular DNS lookups, these include the Domain Servers (NS Records) and the Mail Servers (MX Records). The list of sub-domains are gathered through the host record search API. The various API's use data from scans.io as well as Shodan, Maxmind, Netcraft, Bing, Google and other search engines.

A number of well known projects provide a wealth of Open Source Intelligence on DNS records, host names, web servers and other Internet wide scan data. Through analysis of these data sources it is possible to get a detailed understanding of an organizations Internet footprint and technologies in use without actually sending any probes directly against the target organization.

Maximum Number of Results

The maximum number of host results available is 40'000. If the number exceeds this number then the results are truncated at the 40 thousand limit.

Format of Results

The results of the automated information collection are compiled into a spreadsheet XLS and an image of the domain map PNG. Once the analysis is complete the files are emailed to your registered email account as attachments.

Intelligence Gathering is performing reconnaissance against a target to gather as much information as possible to be utilized when penetrating the target during the vulnerability assessment and exploitation phases. The more information you are able to gather during this phase, the more vectors of attack you may be able to use in the future.
PTES - Penetration Test Execution Standard

Useful OSINT Tools, Resources and Data Sources

Shodan - The Search Engine for the Internet of Things, find everything from Printers to Power Stations with this Internet Wide Scanning Resource.
scans.io - A excellent collection of open scan data and DNS resources sponsored by Rapid7 and the University of Michigan.
Recon-NG - A tool for collecting Open Source Intelligence from various resources and search engines.
Passive OSINT Analysis of the Network Attack Surface - An article of ours that gives an overview of the discovery of the attack surface of an organization.
IP Tools - another resource of ours, a collection of DNS and IP Tools that enable target reconnaissance.