Attack Surface Discovery with Domain Profiler
The Domain Profiler reconnaissance tool finds sub-domains and hosts for an organization. By utilizing OSINT (Open Source Intelligence Gathering) techniques we can passively discover an organizations Internet footprint.
Once you have an understanding of the IP addresses, net blocks and technology in use by an organization you can move onto the scanning and service discovery phases of an assessment.
Perform a deep dive against a domain, gathering related hosts and technologies in use without sending any packets against the target system.
- Discover the Internet footprint of an organization.
- Find forgotten and unsecured systems.
- Perform competitor analysis, with passive reconnaissance.
- Understand an organisations technology and back-end services.
- Access to 27 Vulnerability Scanners and OSINT Tools.
- Submit lists of targets in bulk for analysis.
Here are 5 use cases for the Domain Profiler Tool
- Internal Operations Team
- Check the results of this analysis against internal asset lists. Quickly find gaps in the assets or forgotten systems. Staff turnover in many organizations can lead to orphaned systems that are Internet facing and no longer maintained. Asset management systems should be aware of these systems, but sometimes they slip through the cracks.
- Incident Response
- Whether you are chasing down a major incident (DFIR) or simply in need of contextual information around a domain for alert triage. This is a tool that will surely save time during the analysis or investigative process.
- Penetration Testers
- The first stage of any penetration testing engagement is to compile open source intelligence into a picture of the target. Using OSINT methods allows a great deal of information to be collected without sending any packets to the target. This is known as passive information gathering.
- Business Intelligence
- Detailed open source information reveal technologies and third party service providers of an organizations. This can benefit a number of different investigative processes including competitive analysis. The key here is the fact that the information is from open sources, with zero impact to the target.
- Bug Bounty Hunters
- The passive nature of the information discovery, allows bug hunters (and other attackers) to quickly find systems that may be worth spending time assessing for vulnerabilities. A bounty hunter with a list of programs (domains) can submit a list of targets and watch the results come into their email box, quickly reviewing each to find easy wins.
Domain Profiler Methodology
This tool extensively uses the various API's that HackerTarget.com makes available. It collects standard DNS records through regular DNS lookups, these include the Domain Servers (NS Records) and the Mail Servers (MX Records). The list of sub-domains are gathered through the host record search API. The various API's use data from Certificate Transparency, scans.io, Shodan, Maxmind, Netcraft, Bing, Common Crawl, Google and other search engines.
Here is a break down of the tactical intelligence that is included in the results:
- DNS Records including subdomains
- Network Banners for Internet facing services (web servers, ftp servers, Remote Desktop, SSH).
- Reverse Whois searches for email address to find domains that are related to the organisation.
- Google Analytics searches to find related web sites with matching analytics tracking codes.
- Certificate transparency searches to find related subdomains and other domains based on certificate details.
- Banner and network service searches across ASN's owned by the organisation being queried.
A number of well known projects provide a wealth of Open Source Intelligence on DNS records, host names, web servers and other Internet wide scan data. Through analysis of these data sources it is possible to get a detailed understanding of an organizations Internet footprint and technologies in use without actually sending any probes directly against the target organization.
Maximum Number of Results
Up to half a million results are available in a single domain report. If the number exceeds 500'000 hosts then the results are truncated.
Format of Results
The results of the automated information collection are compiled into a spreadsheet
XLS and an image of the domain map
PNG. In addition it is possible to view the results in an interactive table or through a web network graph. Once the analysis is complete the files are emailed to your registered email account as attachments.
Intelligence Gathering is performing reconnaissance against a target to gather as much information as possible to be utilized when penetrating the target during the vulnerability assessment and exploitation phases. The more information you are able to gather during this phase, the more vectors of attack you may be able to use in the future.
PTES - Penetration Test Execution Standard
Useful OSINT Tools, Resources and Data Sources
- Shodan - The Search Engine for the Internet of Things, find everything from Printers to Power Stations with this Internet Wide Scanning Resource.
- scans.io - A excellent collection of open scan data and DNS resources sponsored by Rapid7 and the University of Michigan.
- Recon-NG - A tool for collecting Open Source Intelligence from various resources and search engines.
- Passive OSINT Analysis of the Network Attack Surface - An article of ours that gives an overview of the discovery of the attack surface of an organization.
- IP Tools - another resource of ours, a collection of DNS and IP Tools that enable target reconnaissance.