Tutorial - Domain expansion

If you are familiar with network foot printing, you will probably hate this step, by nature this is a very tedious and time consuming process, but if you are new to this, allow me to first explain what it is, show you how to do it manually and then show you my attempt at making my/your life easier.

What is domains expansion?
Simply put, its enumerating registered domains of the same name, with different TLDs (top level domains, eg .com, .net, .info etc).
For example, I work for a company named Sensepost, and EVERYBODY knows that the Sensepost domain is sensepost.com. But is that the only "sensepost" domain associated with my workplace? Using the process of domain expansion you will found that there is more than meets the eye...

Going old school, no really...
I found that the best way to try and determine if a domain exist is to try and retrieve the SOA (Start of Authority) DNS record. For more detail about the different DNS record types please read this. Now how do we do that? Well on my trusty *nix or osX box I'll use the dig command with the -t soa flags. So to check if sensepost.com exists I'll do the following:
dig -t soa sensepost.com
In the answer section you notice a soa entry for sensepost.com. So we now know that sensepost.com exists, now we need to find out who it belongs to, and for that we will you the old tried and trusted whois command:
whois sensepost.com
So at this point, we know that sensepost.com exists and whois it belongs to. So how about sensepost.info?
dig -t soa sensepost.info
Notice the missing "Answer section", from this we can see that the domain sensepost.info doesn't exist so we don't need to "whois" it. This seems simple and quick enough right? Well if you consider that there are several hundred TLD's out there and doing this by hand and then checking the whois result will surely drive you up the wall if you have to expand 10+ domains. Trust me, I know how this feels.

Enter the Yeti...
This was one of the main reasons that I wrote Yeti, Sensepost had a tool called BidiBlah, but sadly that tool was written in .net and I'm unfortunately (or fortunate) *nix/OsX user, so I decided to write Yeti in java, and the bing aim was to improve on the time it took to do domain expands and verifying the data. So here goes, the first step would be to start up Yeti and click on the "Domain Expand" button

and then enter the term "sensepost" into the text box. Just a not, we don't want to add the domain name eg "sensepost.com" or "sensepost.gov.mil", because we want to eheck for domains that look like this, sensepost.co.uk.

And press the start button and let the Yeti do the work!
Now what Yeti does is, it checks to see if the SOA record for a specific domain exists, if it exists it will get the name server records associated with that domain. The best feature however is that it performs a whois request automatically when a valid domain is found. Once you select a domain in the results grid, the whois result will appear in the text panel on the right hand side! Awesome, cuts out all the manual work.

But wait, there is more...
Notice the filter box on the left hand side? Well that is to make you live even easier. Once the domain expand is completed, look at the whois result from known domains owned by the target. Try to find "string" like the registrant name, address or email address that might appear in other whois records of domains owned by the target. 
Add this text to the filter box and press "Filter".
Yeti will now automatically select all the domains that constains the 1 or more of the filter strings in their whois result.

And that is how you make Domain Expansion, fun, easy and quick.
Please stay tuned for a tutorial on how to use the different filters.
As alway drop me an email if there is any questions.

./w


Subscribe to: Posts (Atom)