Mastering your own domain

Search engines are easy and accessible, but we also need to understand what a network's domain structure, addressing plan, and supporting services are, as that perspective is vital to our efforts in probing the application. Domains hosting applications can have intricate domain structures that can be exploited. The hosts, network IP addresses and blocks, nameservers, and related elements can help identify target entities, pivots to adjacent hosts, underlying services and daemons, and open ports and protocols that are in use as well. We'll look at some tools that incorporate some of these into a larger solution, but mastering dig, fierce, dnsenum, dnsmap, WHOIS, and DNSRecon will go a long way toward improving accuracy and efficacy.

The WHOIS database has been in use since the early days of the Internet, and while the intricate service provider and hosting paradigms mean WHOIS rarely contains the end user of the domain and their contact information, it is this information that can start an investigation. We've all used it in our experience, so we'll hop into the next-level tools.