Why Should You Find Domains Owned by a Company?
During a black box, or grey box penetration testing engagement for a company, one of the main things you will need to discover is the domains owned by the company. This technique is also useful for other, marketing and business analysis purposes.
The first steps to perform is basic search to find out their website and thus their domain name.
You will use this domain to perform a whois lookup to find out the “Registrant Organization” name for this domain. Reverse Whois lookups is a powerful way to identify relatioships between registrant’s information.
NOTE: Some domain owners have opted for “Private Registration”. In this case their contact details will not be available in the public whois database.
Web Based and Local Tools for Whois Lookup
There are many online tools to perform whois lookup. One of them is whois.domaintools.com
Another way is through command line. Whois command on windows and linux alike, will return the results you are looking for.
Domain Name: cnn.com Registry Domain ID: 3269879_DOMAIN_COM-VRSN Registrar WHOIS Server: whois.corporatedomains.com Registrar URL: www.cscprotectsbrands.com Updated Date: 2020-10-20T13:09:44Z Creation Date: 1993-09-22T00:00:00.000-04:00 Registrar Registration Expiration Date: 2026-09-21T00:00:00.000-04:00 Registrar: CSC CORPORATE DOMAINS, INC. Registrar IANA ID: 299 Registrar Abuse Contact Email: [email protected] Registrar Abuse Contact Phone: +1.8887802723 Domain Status: clientTransferProhibited http://www.icann.org/epp#clientTransferProhibited Domain Status: serverDeleteProhibited http://www.icann.org/epp#serverDeleteProhibited Domain Status: serverTransferProhibited http://www.icann.org/epp#serverTransferProhibited Domain Status: serverUpdateProhibited http://www.icann.org/epp#serverUpdateProhibited Registry Registrant ID: Registrant Name: Domain Name Manager Registrant Organization: Turner Broadcasting System, Inc. Registrant Street: One CNN Center Registrant City: Atlanta Registrant State/Province: GA Registrant Postal Code: 30303 Registrant Country: US Registrant Phone: +1.4048275000 Registrant Phone Ext: Registrant Fax: +1.4048271995 Registrant Fax Ext: Registrant Email: [email protected] Registry Admin ID: Admin Name: Domain Name Manager Admin Organization: Turner Broadcasting System, Inc. Admin Street: One CNN Center Admin City: Atlanta Admin State/Province: GA Admin Postal Code: 30303 Admin Country: US Admin Phone: +1.4048275000 Admin Phone Ext: Admin Fax: +1.4048271995 Admin Fax Ext: Admin Email: [email protected] Registry Tech ID: Tech Name: TBS Server Operations Tech Organization: Turner Broadcasting System, Inc. Tech Street: One CNN Center Tech City: Atlanta Tech State/Province: GA Tech Postal Code: 30303 Tech Country: US Tech Phone: +1.4048275000 Tech Phone Ext: Tech Fax: +1.4048271593 Tech Fax Ext: Tech Email: [email protected] Name Server: ns-1086.awsdns-07.org Name Server: ns-1630.awsdns-11.co.uk Name Server: ns-47.awsdns-05.com Name Server: ns-576.awsdns-08.net DNSSEC: unsigned
Find Domains Registered with the same name With Reverse Lookup
Use the name you found with whois and perform a reverse whois lookup to discover more domains registered to the same name.
Many online services tend to request payment for such service but there are free resources out there you may utilize.
Some good online tools for whois and reverse whois lookups are:
Some domain owners may have opted for “private” registration (Google Apps does this for free) and in that case, their contact details won’t be available in the public whois database.
Use Google Analytics Lookups
Google AdSense is only popular among content publishers but almost every website is using Google Analytics for traffic statistics. And there are online tools available that can quickly find all websites that are are connected to the same Google Analytics account.
Download the AnalyticsRelationships script here
git clone https://github.com/Josue87/AnalyticsRelationships
The script is written both in GO and python versions.
cd AnalyticsRelationships/Python sudo pip3 install -r requirements.txt
cd AnalyticsRelationships/ go build -ldflags "-s -w"
To run the script simply enter the desired url of the website you want to search for
python3 analyticsrelationships.py -u https://www.example.com
It will reveal other websites using the same Google analytics ID, possibly belonging to the same owner.
What To Do Next
After you have gathered the domains owned by the company you are researching or engaging with during a penetration testing exercise you may go on and discover subdomains which will reveal services running on them.
See this article on how to discover subdomains using multiple methods and tools
Dimitris is an Information Technology and Cybersecurity professional with more than 20 years of experience in designing, building and maintaining efficient and secure IT infrastructures.
Among others, he is a certified: CISSP, CISA, CISM, ITIL, COBIT and PRINCE2, but his wide set of knowledge and technical management capabilities go beyond these certifications. He likes acquiring new skills on penetration testing, cloud technologies, virtualization, network security, IoT and many more.