Information gathering on a domain


Information gathering on a domain

Recently, I was asked what one can find about a website, or in more general terms, a domain. Since this is a very broad and vague question you can dig very deep into this topic.

I’ll try to list some tools I use(d) but don’t expect it to be definitive or complete.


I assume you know how to work with a terminal, install software and handle a Linux.

Kali Linux was used for my experiments. Of course you may use any other Linux distribution. Some tools are just regular websites that don’t require anything else than a simple browser. Personally, I prefer a command line since you can chain the commands and there are no captchas. But sometimes there is just no such alternative.

target.corp is a fictional example domain. Some other well known domains are used discuss details.


Even though I do my best I can be wrong. I won’t take any responsibility should you be harmed or suffer consequences. You should always consider the possibility of an adversary trying to attack or working with malicious content.

Remember that using websites that offer free service may track you. Also be aware that querying services may leave a trail of “fingerprints”. OPSEC implications are not discussed, it is left to the reader to first understand the tools and then use them.

You have been warned. ⚠️

“Passive” / silent

In these terms passive is meant as “you are not directly doing a port scan or heavily hammering on the webserver” which could leave obvious traces and creates a lot of noises. Therefore in quotes.


In a nutshell: whois target.corp or whois

Use case: Find out who owns a domain or IP.

whois is probably best known to query domain or IP address block information, basically telling us who owns this resource.

$ whois
Domain Name:
Registry Domain ID: d1a549fdfc3c4dd389c3c575a889efb1-LROR
Registrar WHOIS Server:
Registrar URL:
Updated Date: 2022-12-17T09:19:13Z
Creation Date: 2001-01-13T00:12:14Z
Registry Expiry Date: 2024-01-13T00:12:14Z
Registrar: MarkMonitor Inc.
Registrar IANA ID: 292
Registrar Abuse Contact Email:
Registrar Abuse Contact Phone: +1.2083895740
Domain Status: clientDeleteProhibited
Domain Status: clientTransferProhibited
Domain Status: clientUpdateProhibited
Registry Registrant ID: REDACTED FOR PRIVACY
Registrant Organization: Wikimedia Foundation, Inc.
Registrant State/Province: CA
Registrant Postal Code: REDACTED FOR PRIVACY
Registrant Country: US
Registrant Phone Ext: REDACTED FOR PRIVACY
Name Server:
Name Server:
Name Server:

whois records usually show very little information anymore nowadays. This may be because the registrar acts as a proxy or because the user turns on privacy protection. Without proper means you won’t get any further here.

It is also possible to use some web tools for this purpose like or

The same applies if you want to check the owner of an IP address.

$ whois

NetRange: -
CIDR: ,,,,,,
NetName:        MSFT
NetHandle:      NET-20-33-0-0-1
Parent:         NET20 (NET-20-0-0-0-0)
NetType:        Direct Allocation
Organization:   Microsoft Corporation (MSFT)
RegDate:        2017-10-18
Updated:        2021-12-14


In a nutshell: dig +noall +answer +multiline target.corp any @<RESOLVERIP> or dig +noall +answer -x

Use case: Resolve to an IP and vice versa.

Resolving a domain to an IP address can be done with dig. There are several flags you can use to just get the IP or a lot more verbose output depending your needs. Also it lets you specify which DNS resolver to use, should your default one block certain requests.

$ dig target.corp

; <<>> DiG 9.18.12 <<>> target.corp
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 24151
;; flags: qr rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 1

; EDNS: version: 0, flags:; udp: 1232
;target.corp                IN    A

target.corp.            43200    IN    A
target.corp.            43200    IN    A

;; Query time: 66 msec

In this verbose output you simply get the A-record and also the server that responded to your query.

By using the switch -t you can specify which record you want to query (like AAAA, MX, TXT etc.) or any to get query all DNS records at once. But I have noted that some DNS server stopped answering these kind of query so you might also ask a different DNS server you can specify with @ for instance.

So depending what is noted in the record you can get a lot of extras like DNSKEY, RRSIG etc.

$ dig +noall +answer +multiline target.corp any @
target.corp.    3600 IN    TXT "v=spf1"
target.corp.    10800 IN NSEC3PARAM 1 0 3 EA33014A
target.corp.    10800 IN NS
target.corp.    10800 IN NS
target.corp.    3600 IN    MX 10
target.corp.    10800 IN A

This gives a grepable output for further use with pipes.

Also a handy feature is to see to which hostname a specific IP address resolves to aka reverse IP lookup. Let’s say you have an IP address in your logs but you don’t know which server it was.

$ dig +noall +answer -x 589    IN    PTR

Note that this won’t always work since the nameserver must be able to answer this PTR query. In days of dynamic DNS service it is very well possible that you end up with this situation:

$ dig +noall +answer secrethost.dynamic.dns
secrethost.dynamic.dns. 10800 IN A

$ dig +noall answer -x 9000    IN    PTR

It is also possible to use websites like or


Example: geoiplookup

geoiplookup lets look up the originating country of an IP address.

Another method is to query some online service like or (account required but apparentyl free)


$ curl "" | jq
  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed
100   750    0   750    0     0   2681      0 --:--:-- --:--:-- --:--:--  2688
  "ip": "",
  "success": true,
  "type": "IPv4",
  "continent": "Europe",
  "continent_code": "EU",
  "country": "Switzerland",
  "country_code": "CH",
  "region": "Geneva",
  "region_code": "GE",
  "city": "Geneva",
  "latitude": 46.2043907,
  "longitude": 6.1431577,
  "is_eu": false,
  "postal": "1204",
  "calling_code": "41",
  "capital": "Bern",
  "borders": "AT,DE,FR,IT,LI",
  "flag": {
    "img": "",
    "emoji": "🇨🇭",
    "emoji_unicode": "U+1F1E8 U+1F1ED"
  "connection": {
    "asn": 513,
    "org": "CERN - European Organization for Nuclear Research",
    "isp": "CERN - European Organization for Nuclear Research",
    "domain": ""
  "timezone": {
    "id": "Europe/Zurich",
    "abbr": "CET",
    "is_dst": false,
    "offset": 3600,
    "utc": "+01:00",
    "current_time": "<TIMESTAMP>"

Bonus: What’s my IP again?

Let’s say you want to know your own public IP. What do you do? Right, you open a browser and type “what’s my ip” into Google. Did I mention I hate leaving the shell?

In a nutshell:


... etc.

Use case: Find out what a website does, a sandbox for websites.

This webservice scans an URL and provides a lot of insights about not only the IP, the geo location but also tries to analyze the content. The result show a estimation of potential threats, detected technologies, different domains on the same IP or ASN and the reuse of resources. The reuse of resources may help to pivot to further websites and help uncover connected online presence. Some features are restricted to logged in users or are available only for paid subscription.

Use case: Go back in time, website archive.

Going back in time to see changes and older versions of a website can give further insights. Especially when earlier versions contained more (unredacted) information that can give new leads on where to find connections.

There are several sites archiving the internet.

Use case: Find subdomains and connected ressources.

Getting more information about other (not so obvious) subdomains that are around, can lead to more data to work on. Especially if the target set up a service and forgot about it, or thinks that is secret enough. dnsdumpster will basically list domains and subdomains related to your query, sometimes even disclosing internal hostnames.

Use case: DNS lookups

viewdns provides a wide range of lookups from reverse IP lookup, reverse whois lookup, IP history, whois, ping, portscan etc. Surely, the reverse whois lookup is very interesting to find other domains that have been registered with a given email.

An alternative may be


In a nutshell: theHarvester -d target.corp -l 100 -b all

Use case: Find subdomains and emails

theHarvester leverages several services (some requiring an account) to do recon on a domain. It will gather not only IPs and subdomains, but also email addresses of the given domain. Apparently it can also take screenshots of the subdomains.

$ theHarvester -d -l 100 -b all
*  _   _                                            _             *
* | |_| |__   ___    /\  /\__ _ _ ____   _____  ___| |_ ___ _ __  *
* | __|  _ \ / _ \  / /_/ / _` | '__\ \ / / _ \/ __| __/ _ \ '__| *
* | |_| | | |  __/ / __  / (_| | |   \ V /  __/\__ \ ||  __/ |    *
*  \__|_| |_|\___| \/ /_/ \__,_|_|    \_/ \___||___/\__\___|_|    *
*                                                                 *
* theHarvester 4.2.0                                              *
* Coded by Christian Martorella                                   *
* Edge-Security Research                                          *
*                                   *
*                                                                 *

[*] Target:

[*] Searching Certspotter.
[*] Searching Baidu.
[*] Searching Duckduckgo.
[*] Searching Hackertarget.
[*] Searching CRTsh.
[*] Searching Otx.
[*] Searching Qwant.
[*] Searching Rapiddns.
[*] Searching Dnsdumpster.
[*] Searching Omnisint.
[*] Searching Threatminer.
[*] Searching Sublist3r.

[*] ASNS found: 2

[*] Interesting Urls found: 5

[*] LinkedIn Links found: 0

[*] IPs found: 88

[*] Emails found: 1

[*] Hosts found: 482


In a nutshell: emailfinde -d target.corp

Use case: Find email addresses

EmailFinder lets you do recon on email addresses related to this domain that can be used for further investigation. This can be used to find out where the address has been used for other accounts like social media or forums.

$ emailfinder -d
     __________      ________________
________  ____/_________  __ \__  __ \
_  _ \_  /_   __  __ \_  / / /_  /_/ /
/  __/  __/   _  / / /  /_/ /_  _, _/
\___//_/      /_/ /_//_____/ /_/ |_|

|_ Author: @JosueEncinar
|_ Description: Search emails from a domain through search engines.
|_ Version: 0.3.0b
|_ Usage: emailfinder -d

Searching in google...
Searching in bing...
Searching in baidu...
Searching in yandex...
[+] Bing discovered 3 emails
[+] bing done!
[!]  yandex error YandexDetection, Robot detected
[i] Baidu did not discover any email IDs
[+] baidu done!
[+] Google discovered 1 emails
[+] google done!

Total emails: 3

Google Dork

Use case: Find hidden or forgotten gems on the internet

Even though there some automated tools to search and crawl for email addresses using Google Dorks is a very powerful way of enriching your information set. Because knowing just that a domain, email address or name exists, doesn’t give you the context or the “intelligence” to see further. Also it is well possible that the automated tools just don’t return all data or any data at all.

E.g. you could search for intext:"@target.corp" to see where email addresses show up, but be advised that it’s better to use a full email address like intext:"user@target.corp"

A source for such queries is Google Hacking Database (GHDB)


Use case: Find user activity

The collected email addresses may be found in leaks and give you further indication where it was used. may give you further pointers where to look for accounts and activities. Possibly one is able to find nicknames or usernames on these platforms.


In a nutshell: sherlock <username>

Use case: Find where a username is used. Works better with a rather unique nickname.

With usernames at hand you can try and see if they were re-used on other social media platforms. sherlock-project/sherlock automates the hunt for them and checks over 400 sites in total. In this way maybe it is possible to enlarge the view and knowledge about your target.

$ sherlock stevejobs
[*] Checking username stevejobs on:

[+] 7Cups:
[+] 8tracks:
[+] 9GAG:
[+] pikabu:
[+] pr0gramm:

[*] Search completed with 179 results

Use case: Find services running on an IP or similar services by fingerprint.

Most know shodan as a service to search for vulnerable devices but using the resolved IP can also give insights on different things like other hostnames, other services running, their versions and other information like certificates. Some features require an paid account, yet the freely available data could be interesting enough to find further valuable information.

“Active” / noisy

These tools will be very noisy and create a lot of fingerprints that you were looking into the domain. Since these tools are rather advanced I won’t go into much detail but rather give a short example command, also for my own notes.


In a nutshell: dnsenum --noreverse target.corp

Use case: Enumerate subdomains

SparrowOchon/dnsenum2 will try to brute force subdomains using a pre-defined list

$ dnsenum --noreverse
dnsenum VERSION:1.2.6

-----   -----

Host's addresses:
__________________                                0        IN    A


Brute forcing with /usr/share/dnsenum/dns.txt:
_______________________________________________                        0        IN    CNAME                           0        IN    A                         0        IN    CNAME                     0        IN    A                           0        IN    A                         0        IN    A                           0        IN    CNAME                           0        IN    A                            0        IN    CNAME                    0        IN    A                            0        IN    A                            0        IN    A class C netranges:
____________________________ ip blocks:



In a nutshell: dnsrecon -d target.corp -D /usr/share/dnsrecon/subdomains-top1mil-5000.txt -t brt

Use case: Enumerate subdomains

darkoperator/dnsrecon will try to brute force subdomains using a pre-defined list


dnsrecon -d target.corp -D /usr/share/dnsrecon/subdomains-top1mil-5000.txt -t brt
[*] Using the dictionary file: /usr/share/dnsrecon/subdomains-top1mil-5000.txt (provided by user)
[*] brt: Performing host and subdomain brute force against target.corp...
[+]      A
[+]      AAAA 2a02:1234:5678:12:34:56:78:C
[+]      A
[+]      A
[+] 4 Records Found dirbuster


In a nutshell: dirb /usr/share/dirb/wordlists/small.txt

Use case: Bruteforce for unknown, hidden or forgotten folders on a webserver

dirb is a simple bruteforcer to scan for directories on a webserver using a wordlist. This could help uncover “hidden” folders or (sensitive) content that was forgotten to be removed.


$ dirb /usr/share/dirb/wordlists/small.txt

DIRB v2.22
By The Dark Raver

WORDLIST_FILES: /usr/share/dirb/wordlists/small.txt



---- Scanning URL: ----

---- Entering directory: ----

---- Entering directory: ----

---- Entering directory: ----

---- Entering directory: ----

---- Entering directory: ----


Note, there is a GUI version called dirbuster.


In a nutshell: spiderfoot -l and point your browser to

Use case: Intensive recon on a domain, IP, bitcoin address, email, phone number or username

smicallef/spiderfoot describes itself as “automates OSINT for threat intelligence and mapping your attack surface.” It has a web interface and a CLI that allows to specify a target to scan. It will combine several sources and methods trying to get a very detailed picture ranging from crypto money, enumeration, threat intelligence, lookups, document analysis etc. etc.

Due to the sheer amount of possibilities and feature I will skip any further introduction and just point out to their project website.


⚠️ Before you run nmap be advised to understand and know what you do! This is NOT a tool you should play around. ⚠️

Use case: Knock on every port of the target, fingerprint the services and scan it.

nmap is THE port scanner par excellence! But it is also very noisy and aggressive per default so you will probably trigger a lot of detection systems. On the other hand though a public facing webserver is literally bombarded daily with port scans. So in the end it is up to you to decide how much you want to scan the host.

Since using and explaining nmap does literally fill books and a long manpage I’d like to emphasize that you read first the manual: Chapter 15. Nmap Reference Guide | Nmap Network Scanning Not only to be able to understand every possible switch and technique but also to properly interpret the results.

For the impatient a few example:

However I do really strongly emphasize that you first learn on how to use nmap before you launch it against anything else than your own laptop or some smart device you own in your home network.

Wrap up!

Even though I didn’t go into the OSINT part itself, I think that just doing recon gives enough information to start working and digging further. The intelligence part would require to know better the goal and is not topic of this post. Using the right tools to map a domains footprint can significantly broaden your possibilities to analyze it by just giving you a more complete picture of what is lying out there to be looked at.

Good luck! And stay safe out there.