Perimeter
- DNS
$ nslookup example.com- Subdomains & AXFR
- AS details
- $
whois example.com - $
whois 127.0.0.1 - Check for DNS Amplification
- CMS, Stack, Vulns
- WhatWeb, Wappalyzer
- Shodan / Censys / SecurityTrails
- Google Dorks
/robots.txt/sitemap.xml
dig:
$ dig $(dig -x 127.0.0.1 | grep PTR | tail -n 1 | grep -Eo '[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}').origin.asn.cymru.com TXT +short
whois:
$ whois -h whois.cymru.com -- '-v 127.0.0.1'
$ whois -h whois.radb.net 127.0.0.1
whois:
$ whois -h whois.cymru.com -- '-v AS48666'
$ whois -h whois.radb.net AS48666
Map IP addresses to AS by origin and netname with ignoring potentionally unwanted netname values by keywords:
whois.sh
#!/bin/bash
# Usage: whois.sh ip_list.txt
for ip in `cat $1`; do
WHOIS=`whois $ip`
ASNUM=`echo $WHOIS | grep -i "origin:" | tr -d ' ' | cut -d ":" -f 2 | tr $'\n' ','`
NETNAME=`echo $WHOIS | grep -i "netname:" | tr -d ' ' | cut -d ":" -f 2`
if ! echo "$NETNAME" | grep -iqF -e pppoe -e ipoe; then
echo "$ASNUM,$NETNAME,$ip"
fi
done
Last modified 1yr ago