Preface#
During the information gathering phase of penetration testing, it is common to collect the root domain names of the target company. Registered domain names can be obtained through ICP filing number reverse lookup and Whois data query, while unregistered domain names have some special collection methods.
Collecting the root domain name assets of the target through HTTP characteristics is one of the methods. We can use security search engines like FOFA and Shodan to discover some root domain names related to the target company.
It should be noted that the root domain name assets collected through these methods may not belong to the testing target. These methods are only optional extensions. When using these methods, the collected information should be handled with caution.
Certificate#
FOFA Syntax
cert.subject.org="target" && is_domain=true
Demo Example
In digital certificates, the fields such as Issuer, Subject, Organization, and CommonName play important roles:
- Issuer: The issuer field identifies the entity that has signed and issued the certificate. The issuer field must contain a non-empty distinguished name (DN).
- Subject: The subject field identifies the entity associated with the public key stored in the subject public key field. The subject name can be carried in the subject field and/or the subjectAltName extension.
- Organization (O): The organization name identifies the organization or company that holds the certificate.
- CommonName (CN): The common name, for individuals, may be a personal name, and for server certificates, it is usually a domain name.
HTTP Headers#
The Content-Security-Policy-Report-Only
header can provide information about how a website handles cross-origin requests, but it may not directly provide detailed information about the root domain of the company.
Through Content-Security-Policy-Report-Only
, some root domain names related to the target company can be collected.
FOFA Syntax
host="target.com" && header="Content-Security-Policy-Report-Only"
Demo Example
Similar headers include Content-Security-Policy, Set-Cookie, etc., where root domain names related to the target company may also appear.
NS Servers#
In some cases, internal domain names of a company only need to be accessible to internal personnel. This can be achieved by using self-built DNS servers.
Although we cannot directly access the internally built NS servers of a company, we can query NS server data that has appeared in the past through existing data.
The HackerTarget Find Shared DNS Servers tool can be used to achieve this.
Before querying the company's NS servers, you need to obtain the IP or hostname of the NS servers by querying the NS servers of the domain.
$ nslookup -type=ns qq.com
qq.com nameserver = ns1.qq.com.
qq.com nameserver = ns2.qq.com.
qq.com nameserver = ns4.qq.com.
qq.com nameserver = ns3.qq.com.