Horizontal Enumeration
While performing a security assessment our main goal is to map out all the domains owned by a single entity. This means knowing all the assets facing the internet of a particular organization. It is a bit trickier to find related domains/acquisitions of a particular organization as this step includes some tedious methods and doesn't give accurate results always. One has to solely perform manual analysis.
From the below image you can get an idea of what a horizontal domain correlation is:
Let's look at how to find these related domains.

Methods:

These enumeration methods can go out of scope and backfire you

1) Discovering the IP space

ASN(Autonomous System Number) is a unique identifier of certain IP prefixes. Very large organizations such as Apple, Github, Tesla have their own significant IP space. To find an ASN of an organization https://bgp.he.net is a useful website where we can query. Let's find ASN for Apple Inc.
Now that we have found out the ASN number, next we need to figure out IP ranges within that ASN. For this, we will use whois tool.
whois -h whois.radb.net -- '-i origin AS714' | grep -Eo "([0-9.]+){4}/[0-9]+" | uniq

a) WhoisXMLAPI

​WhoisXMLAPI is an excellent source that provides a good amount of related domains & acquisitions based on the WHOIS record. Singing up on their platform will assign you 500 free credits which renew every month. Visit https://tools.whoisxmlapi.com/reverse-whois-search . Now searching with the root domain name like dell.com will give all the associated domains.
These are not 100% accurate results, as they contain false positives

b) Whoxy
πŸ’°

​Whoxy is yet another great source to perform reverse WHOIS on parameters like Company Name, Registrant Email address, Owner Name. Whoxy has an enormous database of around 329M WHOIS records. But sadly this is a paid service :(
To effectively use Whoxy API there's a command-line tool called whoxyrm.

c) Crunchbase
πŸ’°

​Crunchbase is another great alternative for finding acquisitions but requires a paid subscription to view all the acquisitions. The trial version allows viewing some of the acquisitions.

3) PTR records (Reverse DNS)

Now since we have got to know the IP address ranges from ASN of an organization, we can perform PTR queries on the IP addresses and check for valid hosts. What is reverse DNS? When a user attempts to reach a domain name in their browser, a DNS lookup occurs, matching the domain name(example.com) to the IP address(such as 192.168.1.1). A reverse DNS lookup is the opposite of this process: it is a query that starts with the IP address and looks up the domain name.
This means that, since we already know the IP space of an organization we can, we can reverse query the IP addresses and find the valid domains. Sounds cool?
But how? PTR records (pointer record) helps us to achieve this. Using dnsx tool we can query a PTR record of an IP address and find the associated hostname/domain name.
Apple Inc.
🍎
has ASN714 which represents IP range 17.0.0.0/8. So, let's see have to perform reverse DNS.

Running:

We will first need to install 2 tools:
  • ​Mapcidr :- GO111MODULE=on go get -v github.com/projectdiscovery/mapcidr/cmd/mapcidr
  • ​dnsx :- GO111MODULE=on go get -v github.com/projectdiscovery/dnsx/cmd/dnsx
echo 17.0.0.0/8 | mapcidr -silent | dnsx -ptr -resp-only -o output.txt

Breakdown:

  • When an IP range is given to mapcidr through stdin(standard input), it performs expansion spitting out each IP address from the range onto a new line:17.0.0.1, 17.0.0.2, 17.0.0.3, 17.0.0.4
  • Now when dnsx receives each IP address from stdin, it performs reverse DNS and checks for PTR record. If, found it gives us back the hostname/domain name.
Note: We can also combine the step of discovering the IP space with reverse DNS lookup into one-liner like:
whois -h whois.radb.net -- '-i origin AS714' | grep -Eo "([0-9.]+){4}/[0-9]+" | uniq | mapcidr -silent | dnsx -ptr -resp-only

4) Favicon Hashing

What is a favicon?

The image/icon shown on the left-hand side of a tab is called as favicon.ico. This icon is generally fetched from a different source/CDN. Hence, we can find this favicon link from the source code of the website.

Generating the MurmurHash value:

To generate the MurmurHash value which is unique to each favicon we will use a tool called MurMurHash

​MurMurHash​

MurMurHash is a simple tool used to generate hash for the given favicon.

Installation:

git clone https://github.com/Viralmaniar/MurMurHash.git
cd MurMurHash/
pip3 install -r requirements.txt

Running:

  • Upon running the tool, it will ask you to enter the URL for the hash.
  • And after entering the favicon link it will provide you with a unique hash value (-2057558656)
python3 MurMurHash.py

Weaponizing through Shodan:

  • Now we query Shodan http.favicon.hash:<hash> with that favicon hash.
  • This gave us a whopping 162K assets/hosts. These all can be subdomains or related domains of the Microsoft organization.
​
You know this is a powerful technique when the Recon king
πŸ‘‘
tweets about it.

🏁
That's it !!! Done with Horizontal Enumeration
🏁

Liked my work? Don't hesitate to buy me a coffee XDD

​
❀
​
πŸ’™
​
πŸ’š
https://www.buymeacoffee.com/siddheshparab
πŸ’š
πŸ’™
❀

​
​
​
​
​
Copy link
On this page
Methods:
1) Discovering the IP space
2) Finding related domains/acquisitions
3) PTR records (Reverse DNS)
Running:
4) Favicon Hashing
MurMurHash
Weaponizing through Shodan:
That's it !!! Done with Horizontal Enumeration