Perimeter
- DNS
$ nslookup example.com- Subdomains & AXFR
- AS details
- $
whois example.com - $
whois 127.0.0.1 - Check for DNS Amplification
- CMS, Stack, Vulns
- WhatWeb, Wappalyzer
- Shodan / Censys / SecurityTrails
- Google Dorks
/robots.txt/sitemap.xml
dig:
$ dig $(dig -x 127.0.0.1 | grep PTR | tail -n 1 | grep -Eo '[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}').origin.asn.cymru.com TXT +short
whois:
$ whois -h whois.cymru.com -- '-v 127.0.0.1'
$ whois -h whois.radb.net 127.0.0.1
whois:
$ whois -h whois.cymru.com -- '-v AS48666'
$ whois -h whois.radb.net AS48666
Map IP addresses to AS by
origin and netname ignoring potentionally unwanted netname values by keywords:whois.sh
#!/bin/bash
# Usage: whois.sh ip_list.txt
for ip in `cat $1`; do
WHOIS=`whois $ip`
ASNUM=`echo $WHOIS | grep -i "origin:" | tr -d ' ' | cut -d ":" -f 2 | tr $'\n' ','`
NETNAME=`echo $WHOIS | grep -i "netname:" | tr -d ' ' | cut -d ":" -f 2`
if ! echo "$NETNAME" | grep -iqF -e pppoe -e ipoe; then
echo "$ASNUM,$NETNAME,$ip"
fi
done
$ for i in `das -db corp scan -ports all -show -raw | sort -u`; do whois $i | grep -e org-name: -e netname: -e route: -e origin:; echo ---; done
$ asnmap -i `das -db corp scan -ports all -show -raw | sort -u | sed -z 's/\n/,/g;s/,$/\n/'` -silent
$ asnmap -d `cat domains.txt | sed -z 's/\n/,/g;s/,$/\n/'` -silent
Last modified 2mo ago