Domain enumeration is a critical task for security researchers, penetration testers, and competitive intelligence professionals. The challenge lies in the decentralized nature of domain registration systems and the various privacy protections implemented by registrars.
WHOIS Lookups with Bulk Processing: While traditional WHOIS queries are limited, we can automate them at scale:
import whois
from concurrent.futures import ThreadPoolExecutor
def query_domain(domain):
try:
w = whois.whois(domain)
return {'domain': domain, 'registrant': w.registrant_name}
except:
return None
base_domains = ['example.com', 'example.net']
with ThreadPoolExecutor(max_workers=5) as executor:
results = list(executor.map(query_domain, base_domains))
Certificate Transparency (CT) logs provide a goldmine of domain information:
import requests
def get_ct_logs(domain):
url = f"https://crt.sh/?q=%25.{domain}&output=json"
response = requests.get(url)
if response.status_code == 200:
return response.json()
return []
domains_in_cert = {entry['name_value'] for entry in get_ct_logs('targetcompany.com')}
Advanced DNS reconnaissance methods can uncover related domains:
import dns.resolver
def dns_enumeration(domain):
results = set()
try:
answers = dns.resolver.resolve(domain, 'MX')
for rdata in answers:
results.add(rdata.exchange.to_text())
except:
pass
return results
Mapping autonomous system numbers to discover related infrastructure:
import ipwhois
def get_asn_info(ip):
try:
obj = ipwhois.IPWhois(ip)
return obj.lookup_rdap()
except:
return None
Several services offer comprehensive domain mapping APIs:
import requests
headers = {'Authorization': 'Bearer YOUR_API_KEY'}
params = {'limit': 100, 'query': 'org:"Target Company Inc."'}
response = requests.get(
'https://api.securitytrails.com/v1/domains/list',
headers=headers,
params=params
)
Combining multiple approaches into an integrated solution:
class DomainEnumerator:
def __init__(self, company_name):
self.company = company_name
self.found_domains = set()
def run_enumeration(self):
self._check_whois()
self._query_ct_logs()
self._dns_enumeration()
return sorted(self.found_domains)
Remember that comprehensive domain discovery requires multiple techniques combined with manual verification. The accuracy of results depends heavily on the quality of input data and the persistence of your investigation.
In cybersecurity research, competitive analysis, or brand protection scenarios, identifying all domains owned by a particular organization presents unique technical challenges. Unlike centralized databases, domain ownership information is distributed across registrars, registries, and various data sources.
# Sample Python script to query WHOIS data
import whois
def get_whois_info(domain):
try:
w = whois.whois(domain)
return w
except Exception as e:
print(f"Error querying {domain}: {e}")
return None
Reverse DNS lookups can reveal patterns in naming conventions:
# Reverse DNS lookup with dig
dig -x 192.0.2.1 | grep PTR
Certificate issuance records often reveal associated domains:
# Querying crt.sh certificate database
SELECT identity_value
FROM certificate_identity
WHERE identity_type = 'dns' AND issuer_ca_id = 12345;
- WHOIS lookups (RDAP protocol preferred)
- DNS reconnaissance tools like Farsight DNSDB
- SecurityTrails API for historical DNS data
- PassiveTotal for relationship mapping
For large organizations, consider:
- ASN-based discovery (autonomous system numbers)
- IP range analysis
- Combining multiple data sources with fuzzy matching
Always verify:
- Terms of service for data sources
- Applicable laws (GDPR, CFAA, etc.)
- Rate limiting and query etiquette
For ongoing discovery, implement:
# Basic monitoring script skeleton
import schedule
from domain_tracker import check_new_domains
schedule.every(6).hours.do(check_new_domains,
target_company="examplecorp")