3.2. Domain Name Information¶

3.2.1. Whois¶

Whois can query whether a domain name is registered, and a database of details of registered domain names, which may contain some useful information, such as domain name owner, domain name registrar, email address, etc.

3.2.2. Search Engine Search¶

Search engines usually record domain name information, which can be queried through the syntax of site: domain 。

3.2.3. Third-party queries¶

There are quite a few third-party applications on the web that provide subdomain query functions. There are some examples below, and more websites can be found in the 8.1 tool list.

DNSDumpster
Virustotal
CrtSearch
threatminer
Censys

3.2.4. ASN information association¶

In the network, an autonomous system (Autonomous System, AS) is a small unit that has the right to autonomously decide which routing protocol should be used in the system. This network unit can be a simple network or a network group controlled by one or more common network administrators, it is a single manageable network unit (such as a university, a business or a company individual).

An autonomous system is sometimes referred to as a routing domain. An autonomous system will be assigned a globally unique 16-digit number called an autonomous system number (ASN). Therefore, you can find possible related IPs by ASN number, for example:

whois -h whois.radb.net -- '-i origin AS111111' | grep -Eo "([0-9.]+){4}/[0-9]+" | uniq
nmap --script targets-asn --script-args targets-asn.asn=15169

3.2.5. Domain Relevance¶

Multiple domain names registered by the same company/individual are usually related to a certain extent, for example, the same email address is used for registration, the same filing is used, and the same person in charge is used for registration, etc. This method can be used to find the associated domain name . One operation step is as follows:

Query Domain Name Registration Email
Query record number by domain name
Query domain name by record number
Check the registered email address
Check the registrant
The domain name queried by the registrant is querying the mailbox
Query the domain name through the mailbox in the previous step
Query the subdomains of the domain name obtained above

3.2.6. Use of website information¶

There is a lot of information in the website, and the website itself, various security policies, settings, etc. may expose some information.

The interaction of the website itself is usually not limited to a single domain name, and will interact with other subdomains. In this case, other subdomain information in the site can be collected by crawling the website. This information usually appears in JavaScript files, resource file links, etc.

Website security policies such as cross-domain policies, CSP rules, etc. usually also contain information about related domain names. Sometimes multiple domain names use the same SSL/TLS certificate for convenience, so sometimes the relevant domain name information can be obtained through the certificate.

3.2.7. HTTPS certificate¶

3.2.7.1. Certificate Transparency¶

In order to ensure that the HTTPS certificate will not be issued by mistake or forged, the CA will record the certificate in a log that can be publicly verified, cannot be tampered with, and can only append content. Any interested party can view all certificates issued by the authority. Therefore, the relevant domain name can be obtained by querying the authorized certificate.

3.2.7.2. SAN¶

Subject Alternate Name (SAN), in simple terms, when multiple domain names are required and used for various services, SAN certificates are often used. SAN allows a variety of values to be associated with a certificate using the subjectAltName field in a security certificate, these values are called subject alternative names.

3.2.8. Domain Transfer Vulnerability¶

DNS zone transfer refers to the redundant backup server refreshing its own zone database with data from the primary server. This is to prevent the resolution of the entire domain name from being affected by the unexpected unavailability of the primary server.

In general, domain transfer operations should only be allowed to be initiated by trusted alternate DNS servers, but if authorization is misconfigured, any user can obtain domain name information for the entire DNS server. This incorrect authorization is known as a DNS domain transfer vulnerability.

3.2.9. Passive DNS¶

Passive DNS passively records responses from different name servers from recursive name servers to form a database. Using the Passive DNS database, you can know which IP the domain name has been bound to, which domain name the IP has been associated with, and the earliest/most recent appearance time of the domain name, which provides great help for testing. Websites such as Virustotal, passivetotal, and CIRCL all provide queries to the Passive DNS database.

3.2.10. General Analysis¶

Pan resolution is to resolve all A records of *.example.com to a certain IP address, which needs to be handled when enumerating subdomains to prevent a large number of invalid records from being generated.

3.2.11. Important records¶

3.2.11.1. CNAME¶

CNAME is Canonical name, also known as alias, which points a domain name to another domain name. It may contain information about other affiliated businesses. The CDN acceleration feature used by many websites takes advantage of this record.

3.2.11.2. MX records¶

The MX record is Mail Exchanger, which records the server address corresponding to the domain name when sending emails. Can be used to find SMTP server information.

3.2.11.3. NS records¶

The NS (Name Server) record is the record of the domain name server, which is used to specify which DNS server resolves the domain name.

3.2.11.4. SPF records¶

SPF (Sender Policy Framework) is a type of DNS record proposed to prevent spam. It is a TXT type record used to register all IP addresses owned by a domain name for outgoing mail. You can obtain related IP information through SPF records. The commonly used commands are dig example.com txt 。

3.2.12. CDN¶

3.2.12.1. CDN Verification¶

You can determine whether the target uses a CDN by pinging from multiple locations. Commonly used websites http://ping.chinaz.com/ https://asm.ca.com/en/ping.php etc。

3.2.12.2. Domain name lookup¶

The parent domain or subdomain of a domain name that uses a CDN may not necessarily use a CDN. You can find the corresponding IP in this way.

3.2.12.3. History lookup¶

The CDN may be launched after the website is online for a period of time. You can find the real IP by looking up the domain name resolution record.

3.2.12.4. Mail information¶

Email communication is carried out by means of social engineering, and the IP address is obtained from the email header. The IP address may be the real IP of the website or the export IP of the target.

3.2.13. Subdomain blasting¶

In an environment where it is not easy to use the above techniques, such as the intranet, or when you want to monitor the launch of a new domain name, you can find a valid domain name by trying in batches.

3.2.14. Cache Detection Technology¶

In corporate networks, DNS servers are usually configured to provide domain name resolution services for hosts in the network. The DNS Cache Snooping technology is to send domain name resolution requests to these servers, but does not require the use of recursive mode to detect whether a domain name has been requested. This method can be used to detect the use of certain software, especially security software.