🌐
Subdomain Enumeration Guide
  • Home 🏠
  • Introduction
    • What's the need ?🤔
    • Prerequisites
  • Types
    • Horizontal Enumeration
    • Vertical Enumeration
  • Passive Techniques
    • Passive Sources
    • Certificate Logs
    • Recursive Enumeration
  • Active Techniques
    • DNS Bruteforcing
    • Permutation/Alterations
    • Scraping(JS/Source code)
    • Google analytics
    • TLS, CSP, CNAME Probing
    • VHOST probing
  • Web probing
  • Automation 🤖
Powered by GitBook
On this page
  • Tool:
  • AnalyticsRelationships
  • Installation:
  • Running:

Was this helpful?

  1. Active Techniques

Google analytics

PreviousScraping(JS/Source code)NextTLS, CSP, CNAME Probing

Last updated 3 years ago

Was this helpful?

Most organizations use to track website visitors and for more statistics. Generally, they have the same Google Analytics ID across all subdomains of a root domain. This means we can perform a reverse search and find all the subdomains having the same ID. Hence, it helps us in the enumeration process.

Most people might be familiar with a browser extension called . But using this extension or its website is a manual process. We need some sort of command-line utility. That's when AnalyticsRelationships comes to the rescue.

Tool:

  • Author:

  • Language: Go/Python

AnalyticsRelationships is a tool to enumerate subdomains via Google Analytics ID. It does not require any login and has the capability to bypass the & captchas. This tool is available in 2 languages Python & Go. But the Go one is faster compared to the python one.

Installation:

git clone https://github.com/Josue87/AnalyticsRelationships.git
cd AnalyticsRelationships/GO
go build -ldflags "-s -w"

Running:

  • The output may contain false positives.

  • Also, you need to further DNS resolve them in order to get the valid ones.

./analyticsrelationships --url https://www.bugcrowd.com

Google Analytics
BuiltWidth
AnalyticsRelationships
Josué Encinar
BuiltWidth
HackerTarget