Why Should You Find Domains Owned by a Company?
During a black box, or grey box penetration testing engagement for a company, one of the main things you will need to discover is the domains owned by the company. This technique is also useful for other, marketing and business analysis purposes.
The first steps to perform is basic search to find out their website and thus their domain name.
You will use this domain to perform a whois lookup to find out the “Registrant Organization” name for this domain. Reverse Whois lookups is a powerful way to identify relatioships between registrant’s information.
NOTE: Some domain owners have opted for “Private Registration”. In this case their contact details will not be available in the public whois database.
Web Based and Local Tools for Whois Lookup
There are many online tools to perform whois lookup. One of them is whois.domaintools.com
Another way is through command line. Whois command on windows and linux alike, will return the results you are looking for.
whois cnn.com
Will return:
Domain Name: cnn.com
Registry Domain ID: 3269879_DOMAIN_COM-VRSN
Registrar WHOIS Server: whois.corporatedomains.com
Registrar URL: www.cscprotectsbrands.com
Updated Date: 2020-10-20T13:09:44Z
Creation Date: 1993-09-22T00:00:00.000-04:00
Registrar Registration Expiration Date: 2026-09-21T00:00:00.000-04:00
Registrar: CSC CORPORATE DOMAINS, INC.
Registrar IANA ID: 299
Registrar Abuse Contact Email: domainabuse@cscglobal.com
Registrar Abuse Contact Phone: +1.8887802723
Domain Status: clientTransferProhibited http://www.icann.org/epp#clientTransferProhibited
Domain Status: serverDeleteProhibited http://www.icann.org/epp#serverDeleteProhibited
Domain Status: serverTransferProhibited http://www.icann.org/epp#serverTransferProhibited
Domain Status: serverUpdateProhibited http://www.icann.org/epp#serverUpdateProhibited
Registry Registrant ID:
Registrant Name: Domain Name Manager
Registrant Organization: Turner Broadcasting System, Inc.
Registrant Street: One CNN Center
Registrant City: Atlanta
Registrant State/Province: GA
Registrant Postal Code: 30303
Registrant Country: US
Registrant Phone: +1.4048275000
Registrant Phone Ext:
Registrant Fax: +1.4048271995
Registrant Fax Ext:
Registrant Email: tmgroup@turner.com
Registry Admin ID:
Admin Name: Domain Name Manager
Admin Organization: Turner Broadcasting System, Inc.
Admin Street: One CNN Center
Admin City: Atlanta
Admin State/Province: GA
Admin Postal Code: 30303
Admin Country: US
Admin Phone: +1.4048275000
Admin Phone Ext:
Admin Fax: +1.4048271995
Admin Fax Ext:
Admin Email: tmgroup@turner.com
Registry Tech ID:
Tech Name: TBS Server Operations
Tech Organization: Turner Broadcasting System, Inc.
Tech Street: One CNN Center
Tech City: Atlanta
Tech State/Province: GA
Tech Postal Code: 30303
Tech Country: US
Tech Phone: +1.4048275000
Tech Phone Ext:
Tech Fax: +1.4048271593
Tech Fax Ext:
Tech Email: hostmaster@turner.com
Name Server: ns-1086.awsdns-07.org
Name Server: ns-1630.awsdns-11.co.uk
Name Server: ns-47.awsdns-05.com
Name Server: ns-576.awsdns-08.net
DNSSEC: unsigned
Find Domains Registered with the same name With Reverse Lookup
Use the name you found with whois and perform a reverse whois lookup to discover more domains registered to the same name.
Many online services tend to request payment for such service but there are free resources out there you may utilize.
Some good online tools for whois and reverse whois lookups are:
Some domain owners may have opted for “private” registration (Google Apps does this for free) and in that case, their contact details won’t be available in the public whois database.
Use Google Analytics Lookups
Google AdSense is only popular among content publishers but almost every website is using Google Analytics for traffic statistics. And there are online tools available that can quickly find all websites that are are connected to the same Google Analytics account.
Download the AnalyticsRelationships script here
git clone https://github.com/Josue87/AnalyticsRelationships
The script is written both in GO and python versions.
Python
cd AnalyticsRelationships/Python
sudo pip3 install -r requirements.txt
GO
cd AnalyticsRelationships/
go build -ldflags "-s -w"
To run the script simply enter the desired url of the website you want to search for
python3 analyticsrelationships.py -u https://www.example.com
It will reveal other websites using the same Google analytics ID, possibly belonging to the same owner.
What To Do Next
After you have gathered the domains owned by the company you are researching or engaging with during a penetration testing exercise you may go on and discover subdomains which will reveal services running on them.
See this article on how to discover subdomains using multiple methods and tools
Dimitris is an Information Technology and Cybersecurity professional with more than 20 years of experience in designing, building and maintaining efficient and secure IT infrastructures.
Among others, he is a certified: CISSP, CISA, CISM, ITIL, COBIT and PRINCE2, but his wide set of knowledge and technical management capabilities go beyond these certifications. He likes acquiring new skills on penetration testing, cloud technologies, virtualization, network security, IoT and many more.