Which brings us to data intelligence. It’s all about information, and how it can help us achieve our goals within any organization or company we work for.
When dealing with information security, one of your first steps for investigating any objective is to perform an intelligence reconnaissance and data collection process.
This reveals critical details about your target, giving you an informed start toward more involved tasks such as service discovery, online vulnerability scanning, etc.
A key component of any data collection process is identifying and analyzing everything related to the domain name you’re targeting. This is commonly called a domain profile and to create it there are a few tools available known as domain profiler tools.
Today we’ll explore how to use the SecurityTrails Domain, IP and DNS Toolkit as a domain profiler utility. We’ll also examine other effective domain tools used for domain research.
What is a domain profiler tool?
A domain profiler tool is a utility or toolkit that brings to you almost all the data associated with a domain name. This includes subdomain discovery, current and historical DNS records, WHOIS information, associated IP addresses, SSL certificates, network services, servers and running software.
Performing attack surface discovery and domain profiler reconnaissance against any given domain name can reveal critical information about its network, server and application infrastructure.
When do you need domain profiler tools?
Domain profiler tools are generally needed for work with any Internet company that offers virtual products and services. But you’ll need it most when performing any of the following activities:
Copyright and trademark investigations
Trademark violation issues and copyrighting notices make up a large part of the abusive activity concerning IT-based companies.
That’s why companies seeking to protect their name, brand and content are the top users of domain profiler tools. These tools are necessary for gathering the right data from offending domain names, which is useful for reaching the abused organization’s affected contacts through email, as well as its web hosting provider.
Financial institutions and credit card companies aren’t the only targets of phishing campaigns. Almost any company with an online presence and a members/client area can fall victim to a phishing attack.
Detecting phishing campaigns using your domain name as quickly as possible is crucial for protecting your clients and users from getting caught in false web pages that convincingly mimic the real thing.
Getting the right source intelligence is the first step in any penetration testing task. While many OSINT tools out there will yield huge amounts of data, only a few can gather all the details for you in one place.
And finding the right OSINT toolkit for your domain intelligence tasks is paramount to avoid losing time crossing data between different utilities.
In this case, domain profiler tools can help you gather all the domain details you need using passive DNS, IP and domain WHOIS history data.
Bug & data bounty hunters
[Domain data bounty][bounty] and bug bounty hunters play a huge role in the cybersecurity market. These individuals and companies will perform infosec investigations on any company or domain name, to find the vulnerabilities, bugs, data leaks and sensitive information hidden in remote software or systems.
If you yourself are a bug bounty or data bounty hunter, then using a domain profiler will reduce the time you spend in domain intelligence tasks before jumping into the scanning and penetration testing process.
These tools can help you build a lengthy list of domain names to explore, while grabbing large amounts of domain data that can be downloaded later for deeper analysis.
Product and sales intelligence
Exploring subdomains, server providers and historical WHOIS and DNS records isn’t always related to cybersecurity. Sometimes, as we shared in the blogpost Intelligence collection about your competitors, this information can be used to boost your marketing, sales and products.
By analyzing your competitors’ domain names, you can detect running technologies, software CMS, libraries and third party service providers that you may find useful for building your own effective products and services, ultimately increasing sales.
Top areas to explore while building a domain profile
What are the key areas to explore when performing the domain reconnaissance process? Let’s find out!
Stay in the loop with the best infosec news, tips and tools
Follow us on Twitter to receive updates!Follow @SecurityTrails
Who owns that domain name? That’s the main question to ask when exploring the public area of any domain name or company.
SecurityTrails API and SurfaceBrowser offer a fast and easy way to identify the owner of any domain name in the world.
We can even show you who the owner of the domain name was in the past, thanks to our historical WHOIS timeline, available from SurfaceBrowser interface.
When domain names are hacked or become part of domain hijacking campaigns, investigation is essential, to avoid buying stolen domain names, as we’ve seen in previous articles.
Therefore, using WHOIS information when you perform a domain profiler task is of the utmost importance.
Our domain and IP database allows you to find associated domains in mere seconds.
While investigating a single domain name can reveal useful data about an individual or company, the ability to detect associated domains is a bonus.
Are there other domains associated with that same person or company? This question is easy to answer with SurfaceBrowser Associated Domains capabilities.
As seen here, exploring the ge.com domain name revealed around 9.8K associated domain names. This information can be saved for a full analysis or explored from our web-based interface showing a full summary by registrar, organization, creation year and expiration year.
Web hosting and email provider
Most malware and phishing activities are performed on the server side. That’s why detecting who the web hosting provider is serves as useful information for sending an official infringing material removal request (usually after contacting the domain owner).
DMCA notices are also sent to the hosting provider as the primary way to contact the domain owner. This is often seen when copyright material is found on public URLs.
Also, identifying the email provider becomes necessary when massive spam events are found originating from specific domain names.
Is this a low, mid, or high traffic site? Knowing its exact Alexa rank can help you assess what you’re dealing with.
This information is included for every domain analyzed with our public and private tools.
When it comes to creating a map for a domain name, current DNS records are a great source of intelligence data.
SecurityTrails free app can help you easily detect every type of DNS record for any given domain name such as A, AAA, SOA, NS, TXT and MX.
Who’s the email provider for this domain name? What about the web hosting serving the website? Is he using TXT records for email authentication? Is the website balanced using rrDNS?
All of these questions and more can be revealed by analyzing the current DNS records.
Historical DNS records, on the other hand, can help you investigate changes and modifications to DNS records.
This comes in handy when you need to detect whether the domain owner made changes to records after specific events, such as launching attacks, malware campaigns, phishing activity, etc.
Additional tip: historical DNS records are also useful when you need to recover lost DNS records in the event of a DNS compromise or a DNS misconfiguration.
Subdomains are not the same as domain names, but are indeed directly related. Most of the time they can also reveal additional valuable information for your OSINT strategy.
The art of subdomain enumeration has been widely covered in the infosec field. Today there are tons of tools used to discover subdomains, including web-based subdomain discovery apps, terminal-based subdomain mapping tools and desktop OSINT tools.
By running a subdomain enumeration, an infosec researcher can create a digital map of the target. This can later be analyzed to find the weak points in applications running on each host.
Unlike other tools that can take minutes or even hours to perform live queries, SurfaceBrowser’s subdomain finder passive features allow you to find all subdomains of any domain name in mere seconds.
Let’s look at another example, this time with ge.com domain. Our OSINT tool was able to discover 3,246 subdomains.
With the Subdomain option in the SurfaceBrowser interface, you can get a summary of all results and filter them by Hosting Company or the IP address where they are hosted:
Check out the full power of our subdomain discovery features by watching this video.
SSL certificate data
SurfaceBrowser can also be used to fetch important SSL certificate information such as creation and expiration year, validity status, and the company it was issued for.
Following the previous example, we analyzed the
ge.com domain name and were able to find up to 2,021 total SSL certificates.
Knowing all these details for each SSL certificate becomes a precious and valuable commodity. By merely knowing the validity status of each SSL, you can begin investigating possibly vulnerable expired SSL certificates, for production or staging areas that were left behind by mistake.
The Qualys SSL Test is one of the industry’s top standards for auditing the SSL certificate security of business and personal websites.
By simply introducing your domain name, it will launch a number of tests against your SSL/TLS certificates, letting you know about all the vulnerabilities and misconfigured variables that may affect your overall SSL security.
By using the Qualys SSL test you’ll also getadditional details such as Server Key and Certificate data, intermediate certificate chain validation, certification paths, supported SSL protocols, cipher suites and a full handshake simulation for most OS and web browsers, from both mobile and desktop platforms.
SurfaceBrowser also lets you find the most popular open ports for any given domain name and all their hosts/IPs.
While analyzing General Electric’s domain name (ge.com) PTR records, we found a total of 687 open ports, as shown below:
Apart from 80 and 443 TCP ports, we also found 7 hosts with the OpenSSH port using the default port 22.
SSH servers running port 22 are much more vulnerable to brute force attacks than others with custom ports, as seen in our previous article about mitigating SSH attacks.
Detecting open ports is one of your first scanning tasks for identifying the services running on the destination server.t’s an important part of any domain intelligence plan.
Website HTTP details
URLScan immediately comes to mind when planning for work with HTTP data intelligence.
This intel gathering tool will display all the possible details about any URL you want, as well as all the established HTTP connections from that same URL.
It will even scan if your site is blacklisted or part of any malware campaign.
Our domain profiler toolkit will help you run your daily reconnaissance tasks in mere seconds. Thanks to OSINT tools, along with our passive DNS, Domain and IP database, we can help you unveil the shadow infrastructure from servers, network and web applications in an instant.
And know that collecting information security data from any public domain is easier than ever with our security API. Have you tried it yet? If not, open a free API account today and start integrating our powerful domain dataset with your own applications.
If you’re looking for an all-in-one solution, jump directly to SurfaceBrowser™, the #1 intel gathering tool for domain investigations. Book a demo today with our sales team or!