Loading...
Need a Managed Penetration Test? Try our Services

Find Associated Domains

20 Credits

Discover the domain names owned by a company and map its attack surface

Sample Report | Use Cases | Technical Details

Sample Report

Here is a Find Associated Domains sample report:

  • Contains the domain names associated with the target domain
  • Includes additional information such as: company name, contact email addresses
  • Each result has a certainty value which indicates its correctness

Download Sample Report

Sample report

Find Associated Domains - Use Cases

Allows you to discover domains associated with a target domain and to determine the attack surface of a target organization. Find systems which are less protected and more vulnerable to attacks.

Discover Attack Surface

The domain names owned by an organization are the starting point for discovering its attack surface. Development, test, backup or less-known applications are usually hosted on different domain names of the organization and they can be easy targets for attackers

Asset Inventory

This tool can help you to perform an inventory of your domain names, including the resources that you have currently exposed to the Internet. Such an inventory could help you decomission unused resources and decrease your workload.

Real-Time Discovery

The results of Find Domains are obtained in real-time and no caching mechanism is used. Even though this is a slower approach, the results are very accurate and up to date.

Technical Details


About

Domain names are Internet resources assigned to various companies around the world. A company can own multiple domain names which can be used for various purposes of the business (ex. for main website, for clients portal, for supplier applications, etc).

Finding all the domain names owned by a company is an important step in the information gathering phase of a penetration test or during bug bounty activities. This is because these associated domains could expose resources of the company which are less secure than the ones sitting on the main domain.

For example, some of the associated domains for facebook.com are:
  • facebook.net
  • fbcdn.net
  • fb.com
  • messenger.com
  • fbsbx.com
As a result, exploring the attack surface from the additional domains could be a fruitful path during pentesting or bug bounty.


Parameters

Parameter Description
Domain Name Is the target domain name (ex. oracle.com, yahoo.com, etc) which will be searched for associated domains
SSL Certificates Searches Certificate Transparency Logs for certificates having the target domain as alt name.
BuiltWith Searches BuiltWith relationships (e.g. Google Analytics Tags) for potentially related domains.
Reverse Whois Finds the company and contact email of the target domain with a Whois lookup and then does a reverse lookup on them.
Include zero weight results Also show the results with very low weight (e.g. domains found only in expired certificates)


How it works

The tool assigns a certain weight to each result in order to validate its correctness. The validation is performed using these factors:
  • The organisation name found in the SSL certificate, as well and the number of certificates linking the two compared domains
  • The number of BuiltWith relationships and duration of those relationships
  • Matching Whois records (companies, emails)
  • Domain name similarity (e.g. amazon.de/amazon.com)
  • Redirect history: checks if the found domain redirects to the base domain or vice versa (e.g. gmail.com -> mail.google.com)