Domain Information#

Domain info is more than just subdomains — it’s about understanding the company’s entire internet presence.
We gather this data passively (no direct contact), acting like regular users or customers.
This involves:
- Checking the main website
- Noting technologies used
- Understanding services offered (e.g., IoT, app dev, data science, etc.)

🧠 Tip: Services give clues about the company’s internal structure and tech setup.

If we don’t know a service, we research it to learn its technical requirements.
This helps us “see what’s not shown” — the hidden functionality behind services.

🔍 We combine both principles of enumeration:

Assume we’re testing a company as a black-box pentester:
We only have the target domain – no internal info.

Use crt.sh to search certificates for a domain.

Example:

curl -s "https://crt.sh/?q=inlanefreight.com&output=json" | jq .

Helps find subdomains like: matomo.inlanefreight.com, smartfactory.inlanefreight.com, etc.

Use crt.sh output or tools like amass, assetfinder, or subfinder.

Filter out unique subdomains:

curl ... | jq . | grep name

for i in $(cat subdomainlist); do host $i | grep "has address" | grep inlanefreight; done

for i in $(cat ip-addresses.txt); do shodan host $i; done

Example findings:

🧠 Remember Key Targets Keep note of interesting IPs like 10.129.127.22 for later testing.

dig any inlanefreight.com

Look for: