Allows you to discover domains associated with a target domain and to determine the attack surface of a target organization. Find systems which are less protected and more vulnerable to attacks.
Discover Attack Surface
The domain names owned by an organization are the starting point for discovering its attack surface. Development, test, backup or less-known applications are usually hosted on different domain names of the organization and they can be easy targets for attackers
This tool can help you to perform an inventory of your domain names, including the resources that you have currently exposed to the Internet. Such an inventory could help you decomission unused resources and decrease your workload.
The results of Find Domains are obtained in real-time and no caching mechanism is used. Even though this is a slower approach, the results are very accurate and up to date.
Domain names are Internet resources assigned to various companies around the world. A company can own multiple domain names which can be used for various purposes of the business (ex. for main website, for clients portal, for supplier applications, etc).
Finding all the domain names owned by a company is an important step in the information gathering phase of a penetration test or during bug bounty activities. This is because these associated domains could expose resources of the company which are less secure than the ones sitting on the main domain.
For example, some of the associated domains for facebook.com are:
As a result, exploring the attack surface from the additional domains could be a fruitful path during pentesting or bug bounty.
Is the target domain name (ex. oracle.com, yahoo.com, etc) which will be searched for associated domains
Searches Certificate Transparency Logs for certificates having the target domain as alt name.
Searches BuiltWith relationships (e.g. Google Analytics Tags) for potentially related domains.
Finds the company and contact email of the target domain with a Whois lookup and then does a reverse lookup on them.
Include zero weight results
Also show the results with very low weight (e.g. domains found only in expired certificates)
How it works
The tool assigns a certain weight to each result in order to validate its correctness. The validation is performed using these factors:
The organisation name found in the SSL certificate, as well and the number of certificates linking the two compared domains
The number of BuiltWith relationships and duration of those relationships
Matching Whois records (companies, emails)
Domain name similarity (e.g. amazon.de/amazon.com)
Redirect history: checks if the found domain redirects to the base domain or vice versa (e.g. gmail.com -> mail.google.com)
This tool costs 20 credits but you have 40 credits left.