Domain Profiler

Our Domain Profiler reconnaissance tool finds related sub-domains and hosts for an organization. By utilizing OSINT (Open Source Intelligence Gathering) techniques we can passively discover an organizations Internet footprint.

Once you have an understanding of the IP addresses, net blocks and technology in use by an organization you can move onto the scanning and service discovery phases of an assessment.

Domain Profiler OSINT Tool

Perform a deep dive against a domain, gathering related hosts and technologies in use without sending any packets against the target system.

Login to access all options

Membership is required for access to all features, including passive discovery of host names, hosting services, HTTP servers, DNS servers and mail servers. Immediate access is available to new members or login now if you already have an account.

  • Discover the Internet footprint of an organization.
  • Find forgotten and unmanaged servers that may not be adequately secured.
  • Perform competitor analysis of a company, to understand its Internet technology and hosting providers.
  • Correlation of Open Source Intelligence (OSINT) data is used for this automated analysis.

Understanding the Domain Profiler Analysis

This tool extensively uses the various API's that makes available. It collects standard DNS records through regular DNS lookups, these include the Domain Servers (NS Records) and the Mail Servers (MX Records). The list of sub-domains are gathered through the host record search API. The various API's use data from as well as Shodan, Maxmind, Netcraft, Bing, Google and other search engines.

A number of well known projects provide a wealth of Open Source Intelligence on DNS records, host names, web servers and other Internet wide scan data. Through analysis of these data sources it is possible to get a detailed understanding of an organizations Internet footprint and technologies in use without actually sending any probes directly against the target organization.

Intelligence Gathering is performing reconnaissance against a target to gather as much information as possible to be utilized when penetrating the target during the vulnerability assessment and exploitation phases. The more information you are able to gather during this phase, the more vectors of attack you may be able to use in the future.

Useful OSINT Tools, Resources and Data Sources

Shodan - The Search Engine for the Internet of Things, find everything from Printers to Power Stations with this Internet Wide Scanning Resource. - A excellent collection of open scan data and DNS resources sponsored by Rapid7 and the University of Michigan.
Recon-NG - A tool for collecting Open Source Intelligence from various resources and search engines.
Passive OSINT Analysis of the Network Attack Surface - An article of ours that gives an overview of the discovery of the attack surface of an organization.
IP Tools - another resource of ours, a collection of DNS and IP Tools that enable target reconnaissance.