What is domains expansion?
Simply put, its enumerating registered domains of the same name, with different TLDs (top level domains, eg .com, .net, .info etc).
For example, I work for a company named Sensepost, and EVERYBODY knows that the Sensepost domain is sensepost.com. But is that the only "sensepost" domain associated with my workplace? Using the process of domain expansion you will found that there is more than meets the eye...
Going old school, no really...
I found that the best way to try and determine if a domain exist is to try and retrieve the SOA (Start of Authority) DNS record. For more detail about the different DNS record types please read this. Now how do we do that? Well on my trusty *nix or osX box I'll use the dig command with the -t soa flags. So to check if sensepost.com exists I'll do the following:
dig -t soa sensepost.com
dig -t soa sensepost.info
Enter the Yeti...
This was one of the main reasons that I wrote Yeti, Sensepost had a tool called BidiBlah, but sadly that tool was written in .net and I'm unfortunately (or fortunate) *nix/OsX user, so I decided to write Yeti in java, and the bing aim was to improve on the time it took to do domain expands and verifying the data. So here goes, the first step would be to start up Yeti and click on the "Domain Expand" button
and then enter the term "sensepost" into the text box. Just a not, we don't want to add the domain name eg "sensepost.com" or "sensepost.gov.mil", because we want to eheck for domains that look like this, sensepost.co.uk.
And press the start button and let the Yeti do the work!
Now what Yeti does is, it checks to see if the SOA record for a specific domain exists, if it exists it will get the name server records associated with that domain. The best feature however is that it performs a whois request automatically when a valid domain is found. Once you select a domain in the results grid, the whois result will appear in the text panel on the right hand side! Awesome, cuts out all the manual work.
But wait, there is more...
Notice the filter box on the left hand side? Well that is to make you live even easier. Once the domain expand is completed, look at the whois result from known domains owned by the target. Try to find "string" like the registrant name, address or email address that might appear in other whois records of domains owned by the target.
Add this text to the filter box and press "Filter".
Yeti will now automatically select all the domains that constains the 1 or more of the filter strings in their whois result.
And that is how you make Domain Expansion, fun, easy and quick.
Please stay tuned for a tutorial on how to use the different filters.
As alway drop me an email if there is any questions.