Last modified: 2023-10-26

DNS Network Reconnaissance Web

Basic reconnaisance flows.



We need to find the other companies which are owned by the target company.


An autonomous system number (ASN) is a collection of connected IP routing prefixes under the control of network operators. It is assigned to an autonomous system (AS) by the Internet Assigned Numbers Authority (IANA).
Border Gateway Protocol (BGP) is used to notify the routing policy to the other AS or routers.
We can also find IP ranges belonging to the ASN.


whois is used to find information about the registered users of the domain.


Archived Web Pages

Wayback Machine is an online tool that archives a lot of websites.

Subnet Scan

You need only the ping scan (skip port scan) by adding the option "-sP".

# /24 -
nmap -sP <target-ip>/24 -T2
# /16 -
nmap -sP <target-ip>/16 -T2
# /8 -
nmap -sP <target-ip>/8 -T2

Port Scan

See Port Scan for details.


See also Subdomain Discovery, DNS Pentesting.

For example, input in the search form. We should see a list of subdomains for the


For example, input “” in the search form of the URL section. We shoud see a list of subdomains for the in the RELATIONS section.

  • Subdomain Takeover

    It allows an adversary to claim and take control of the victim's subdomain.

    Resource: OWASP

Social Accounts

We can get more information if the organization uses social platforms as below.

  • Discord
  • Facebook
  • GitHub
  • Mastodon
  • Reddit
  • Twitter

Trace Route Packets

To track the route packets from our IP to target host, run the following command.


Find Vulnerabilites


  • Nuclei

    Nuclei is a vulnerability scanner based on simple YAML based DSL.

    nuclei -h

Exploit DB

You can search vulnerabilites written in Exploit-DB by using "searhsploit".

searchsploit <keyword>

If you found vulnerabilities of target, copy them to current directory.
For example,

searchsploit -m windows/remote/
# or
searchsploit -m 42031

Exploit-DB is a database of exploits.
Find the exploit and download it. For example:

wget -O

Format the exploit code for UNIX.


# Manual converting
sed -i 's/\r//'