DNS analysis
DNS records lookup
You can use the commands nslookup/dig to query DNS servers. You can also use the website DNS dumpster, to find both domains and subdomains.
You can also check DNSRecon, but it's mainly used during discovery.
β‘οΈ Find attack vectors: domains, subdomains, mail servers... They may also expose, with the TXT records, third-party apps and services.
WHOIS
You can use whois to dig for registrar information.
β‘οΈ Find a (human) target to attack.
Certificate Transparency (CT)
Another popular way to find subdomains is to study the generated certificate. A SSL certificate is generate for usually multiple domains, so we may find subdomains or other domains like this.
See SSL Tools such as crt.sh.
β‘οΈ Find attack vectors: subdomains or other domains.
π» To-do π»
Stuff that I found, but never read/used yet.
- netcraft search DNS or sitereport
- virus total domain details (+Relations tab)
- domain.glass