#1
  1. No Profile Picture
    Registered User
    Devshed Newbie (0 - 499 posts)

    Join Date
    Jul 2011
    Posts
    10
    Rep Power
    0

    Identify all hostnames belonging to someone


    I'm interested in identifying all the hostnames belonging to someone and I wanted to ask this community for their recommendations on how to best do it. I understanding that, in many cases, it's not possible to generate a comprehensive list of hostnames. However, I'm still interested in what you all think is the best way of going about doing it.

    My thoughts are:
    1) collect all publicly available hostnames (crawl the web, parse public proxy logs) - arent all search engines already doing this? is anyone making this list public?
    2) perform whois lookups on each hostname to determine owner (I realize that whois records are unreliable and can be hidden but it's the only thing I could think of)

    What do the experts think?
  2. #2
  3. No Profile Picture
    Registered User
    Devshed Newbie (0 - 499 posts)

    Join Date
    Jun 2011
    Posts
    15
    Rep Power
    0
    Hi,

    Have you looked at domain tools at all? http://www.domaintools.com/ ?

    Thanks

    Eddie
  4. #3
  5. No Profile Picture
    Contributing User
    Devshed Newbie (0 - 499 posts)

    Join Date
    Nov 2010
    Location
    Florida
    Posts
    248
    Rep Power
    4
    Are you talking about enumeration or what different domains someone has?
  6. #4
  7. No Profile Picture
    Registered User
    Devshed Newbie (0 - 499 posts)

    Join Date
    Jul 2011
    Posts
    10
    Rep Power
    0
    Originally Posted by CaptPikel
    Are you talking about enumeration or what different domains someone has?
    Thanks for replying. It's not just domains I'm interested in, but FQDN hostnames, e.g. mail.domain.com.

    I think the only way to identify all of the hostnames belonging to someone is by enumerating all of the hostnames in existence out on the web and then running whois lookups on them.

    So to answer your question, I suppose I'm talking about both.

    What do you think?
  8. #5
  9. No Profile Picture
    Registered User
    Devshed Newbie (0 - 499 posts)

    Join Date
    Jul 2011
    Posts
    10
    Rep Power
    0
    Originally Posted by Eddie_D
    Have you looked at domain tools at all?
    I haven't! Thanks for the link! It looks like they're doing pretty much exactly what I'm looking for but at the domain level.

    I'm interested in identifying subdomains as well, e.g. portal.domain.com.

    Thanks!
  10. #6
  11. Wiser? Not exactly.
    Devshed God 1st Plane (5500 - 5999 posts)

    Join Date
    May 2001
    Location
    Bonita Springs, FL
    Posts
    5,947
    Rep Power
    4033
    Originally Posted by craayzie
    I'm interested in identifying subdomains as well, e.g. portal.domain.com.

    Thanks!
    Whoever owns domain.com, also owns all sub-domains of domain.com. You can't register a subdomain.
    Recycle your old CD's, don't just trash them



    If I helped you out, show some love with some reputation, or tip with Bitcoins to 1N645HfYf63UbcvxajLKiSKpYHAq2Zxud
  12. #7
  13. No Profile Picture
    Registered User
    Devshed Newbie (0 - 499 posts)

    Join Date
    Jul 2011
    Posts
    10
    Rep Power
    0
    Originally Posted by kicken
    Whoever owns domain.com, also owns all sub-domains of domain.com. You can't register a subdomain.
    Sure, I'm aware of that. I'm interested in identifying any DNS hostnames that they have either provisioned explicitly or are using publicly (via a wildcard DNS record e.g. *.domain.com).

    I'm thinking I would need to crawl the web and parse public proxy logs - to identify these hostnames.

    Am I missing anything else?
  14. #8
  15. No Profile Picture
    Contributing User
    Devshed Newbie (0 - 499 posts)

    Join Date
    Nov 2010
    Location
    Florida
    Posts
    248
    Rep Power
    4
    There are many enumerator tools out there (like dnsenum). You can import text files to run essentially a brute force of DNS queries to find hosts. Or if the domain is running DNSSEC, you can easily get the names by looking at the NSEC records.
  16. #9
  17. No Profile Picture
    Registered User
    Devshed Newbie (0 - 499 posts)

    Join Date
    Jul 2011
    Posts
    10
    Rep Power
    0
    Originally Posted by CaptPikel
    There are many enumerator tools out there (like dnsenum). You can import text files to run essentially a brute force of DNS queries to find hosts. Or if the domain is running DNSSEC, you can easily get the names by looking at the NSEC records.
    Wow - exactly what I was looking for. Was not aware of either options. Thank you!

    If anyone knows of any others - let me know!
  18. #10
  19. No Profile Picture
    Registered User
    Devshed Newbie (0 - 499 posts)

    Join Date
    Jul 2011
    Posts
    10
    Rep Power
    0

IMN logo majestic logo threadwatch logo seochat tools logo