In the Domain Expansion module we attempted to find the domains that can be associated with a company or entity. Now that you have the domains, finding the associated hosts can be seen as a journey of discovery.
Quickly, a background on what DNS is. Every device on the Internet has to have a numeric IP address. However, for humans, it is easier to remember a name than numbers, thus, we assign names to IP addresses. So, when we type in http://www.sensepost.com, for all practical purposes we are dealing with a device on IP 209.61.188.39. The process therefore to find the IP address for a domain name is called a forward DNS look-up. To retrieve the name from an IP, the process is called a reverse DNS look-up. To deal with rDNS, Yeti also has a module for this.
In the early days, companies probably only had a www, ftp or portal prefixes to their domain names. Nowadays, companies can have hundreds of possible devices in its domain.
Enter the Yeti Forward Look-up module.
The concept is simple - make use of files that contain previously identified or guessed prefixes, attach the prefixes to the domain names, and perform a forward look-up on that name.
So, what we have done is to replace this:
With this:
Each file in the "Input Reference" list contains words that are very specific in nature. What we have done is to collect words and terms we have picked up over the years and created forward look-up brute force tables. As you will see some of them are very specific such as colours, Lord of the Rings characters and fruits, and some of them are a bit more here and there, such as the host file and aaastandard file. Select them all if you need to make sure you cover all the possibilities. You can also add to these lists, or make your own.
So, what happens after you click the 'Start' button?
Well, for one, we do name server look-ups to see what records we can derive from the nameservers for the respective domains. In this process we would probably pick up all NS, MX and A records.
However, we also attempt a zone transfer, and if the nameservers allow un-challenged zone transfer queries, those results would also be shown.
For your convenience, we have added tick boxes to un-tick the MX and NS servers because in the majority of cases, these servers do not belong to a company under review but rather an ISP.
Finally, we start attaching those prefixes to the domain names to perform the forward look-ups. Devices identified with the forward look-ups will be listed as FL.
Happy scanning