Content
Search for all the DNS records relating to the subnets of the domain you are investigating, to highlight what different functions the servers are being used for. Things to look out for:
- A host named “firewall.yourcustomerdomain.com” suggests a high likelihood that this is the firewall, allowing you to select the relevant testing tools you should be using on this type of domain.
- A host named “webdevel.anothersite.com” is likely to be a domain where development is run from, and could yield some interesting penetration results.
- Look for any IP addresses running live versions of outdated software – this has the potential to increase the attack surface.
Using the information gathered in the above steps, you may uncover subnets which exist as part of the infrastructure, which you weren’t aware of, but are of interest to you. Use Passive DNS to drill down into the newly discovered networks.