DOMAIN INFORMATION

Passive Domain Information Gathering

Strategic Overview

  • Goal: Understand the target’s services, technologies, and structure from an external, non-intrusive perspective.

  • Approach: Read public-facing content (websites, blog posts, job listings), then infer underlying technologies, cloud providers, and possible infrastructure.

  • Mindset: Combine OSINT with a developer/system architect point of view.

Certificate Transparency Logs

Used to find subdomains registered in SSL certificates.

Commands:

curl -s "https://crt.sh/?q=<website>.com&output=json" | jq .

The above command will filter unique subdomains. In the command, where you see “website”, replace this with your targeted website.

curl -s "https://crt.sh/?q=<website>.com&output=json" | jq . | grep name | cut -d":" -f2 | grep -v "CN=" | cut -d'"' -f2 | awk '{gsub(/\\n/,"\n");}1;' | sort -u

Replace “website” with the target website with the above command.

Identify Internally Hosted Services

Only test internally hosted domains, not those served by third parties (e.g., Google, AWS).

Command:

for i in $(cat subdomainlist); do host $i | grep "has address" | grep <website>.com | cut -d" " -f1,4; done

Replace “website” with the target website with the above command.

Shodan Enumeration

Use Shodan to analyze externally facing IPs for exposed services/devices.

Commands:

for i in $(cat subdomainlist); do host $i | grep "has address" | grep <website>.com | cut -d" " -f4 >> ip-addresses.txt; done

The above command gets IPs of internal subdomains. Remember to replace “website” with the target website with the above command.

for i in $(cat ip-addresses.txt); do shodan host $i; done

The above command is known to query Shodan.

DNS Record Analysis

Extract intelligence from DNS records to find new infrastructure and tech stacks.

Command:

dig any <website>.com

Replace “website” with the target website.

Interpretation:

  • A Records: Direct domain → IP mappings.

  • MX Records: Mail servers (e.g., Gmail = third-party).

  • NS Records: Hosting/NS provider.

  • TXT Records: Email security, API usage, third-party vendors.

Service Implication / Follow-Up
Atlassian Dev tools, possible Jira/Confluence attack surface
Google Gmail Email via GSuite, maybe open Google Docs
LogMeIn Remote admin—risk of full takeover
Mailgun Email APIs—check for API abuse (IDOR, SSRF, etc.)
Outlook Possible Azure/OneDrive/SMB targets
INWX Domain registrar—check for leaked creds or weak portals

This type of passive recon helps you map the digital footprint and narrow down targets for later active enumeration and vulnerability testing.