Horizontal and Vertical Domain enumeration
When performing any security assessment, domain names are a vital element of the reconnaissance phase – mapping the attack surface management. With that in mind, we’ll take an in-depth look into how domains can be identified, classified, and analyzed to reveal cybersecurity threats.
What is a domain name?
A domain name is a label for your IP address on the Internet — essentially, a short link specifically associated with the IP address.
Domains essentially have two major parts - a hostname or subdomain (the leftmost part, such as “www” or “mail”) and the domain name itself (such as “domain.com”)
In that context, domain names are analyzed from two perspectives: vertical and horizontal.
Vertical domain enumeration can be described as the process of using one domain name and finding all its subdomains and hosts (sometimes also referred to as “subdomain enumeration”)
On the other hand, horizontal domain enumeration is the process of locating other domain names that have disparate second-level domains but are related to one entity.
This part of a security assessment aims to map out all the domains and subdomains that a company owns, so they may be further probed to find various vulnerabilities and exposures.
Discovering the IP address space
One of the first steps is to discover the “IP space,” — which may either include one or more Autonomous System Numbers (ASN) or may be limited to a specific smaller IP range. Huge organizations with lots of domains — like Tesla, Apple, or Github — occupy enough connected IP addresses to have their own IP space. If you want to find an organization’s ASN, websites such as bgp.he.net may be highly useful.
Finding related domains/acquisitions
In domain enumeration, you also need to enumerate all acquisitions and related domains. Several tools and platforms can help you with this task:
Crunchbase and Wikipedia are both websites which can provide you with invaluable information about mergers and acquisitions, and from there you may subsequently find more domains to add to your list. Another good website to query for Associated domains is viewdns.info – viewdns allows you to perform various Domain-related queries such as reveres WHOIS or reverse NS which can help you find more domains owned and registered by a certain company.
When you visit a website in practically every browser available today, you’ll see a small image on the left side of the tab.
This icon is known as a favicon. By calculating the hash of a site's favicon and submitting it in a search query in tools such as Shodan.io, one can find more domains that have the same favicon and could potentially be owned by the same company.
Subdomain brute forcing
Sometimes, passive DNS data simply doesn’t provide us with all of the subdomains associated with an entity — which is a problem if your goal is to perform all-encompassing vertical domain enumeration. Plus, there could also be newer subdomains — new enough that they still haven’t been spotted by Internet crawlers.
In these scenarios, subdomain brute-forcing can be beneficial. In this process, a large list that contains common subdomain names is used, and by appending the target domain to them and sending an HTTP request, new subdomains can be discovered.
Reverse DNS sweeping
When an ordinary user tries to reach a domain name through their browser, a regular DNS lookup happens. In that process, the domain name is matched to the appropriate IP address.
A reverse DNS sweep is, as it sounds, the opposite of that process — it begins with an IP address and finds the domain name. Once you already know the IP space of your entity, you can reverse query all the IP addresses and locate the valid domains.
This is done through tools such as virus total or dnsx, in which one may query an IP address’ PTR record and identify associated domain names.
Even though this is by no means a comprehensive list, it should give you a better understanding of the reasoning behind performing domain enumerations – a sound beginning in order to understand a company’s attack surface. For small companies or one-time assessments using a manual approach and open-source tools may suffice. However, once the assessments get bigger or more frequent, we highly recommend having a look at the Rescana platform which streamlines and automates the process of performing these tasks.