Domain Scanning

[Robert_]

Does anyone here know of a domain scanner that will scan for aliases on that domain; such as domain pointers and sub domains.

Thnx!

[mr_doc]

If you type the domain name in google it will give you any cached pages from the subdomains

[Robert_]

I mean other domains hosted with that domain on the same host. Say their is a primary domain and other domains hosted under it on the same host.

[MattGSX]

domaintools.com . Run a domain WhoIs on the site to give you the host an owner. Running a standard WhoIs on the parent company should give you all listed domains. For an additional $20, you can also get all domains hosted by the host.

Is this what you're looking for?

[Copyright]

http://websiteoutlook.com will give other websites hosted on it.

As far as subdomains, you can try Acunetix, but it only scans for widely used ones(mail.web, smtp.web), write a perl script to brute it .

[Robert_]

What I'm doing is I got this main companies website and wanting to know what other websites are hosted on their server.

[trevelyn]

domaintools.com . Run a domain WhoIs on the site to give you the host an owner. Running a standard WhoIs on the parent company should give you all listed domains. For an additional $20, you can also get all domains hosted by the host.

Is this what you're looking for?

LOLLL $20?? LOOOLLLL use simple UNIX tools to enumerate that information:

wget "whatever.com" && cat index.html | grep "href=" | cut -d "/" -f 3 (should be good)
 
or try the (FREE) listurls python script in Back|Track 3
or search google like this "site:<victim>.com"
Do "whois <victim>.com from the command line of the (FREE) backtrack CD

The Whois result will usually include the whole network range which belongs to the organization.

type "nslookup" from the cmd line and then at the ">" prompt test different services/types like
"type=mx" (mail servers) or "type=ns" etc
you could also write a bash script that reads a file line by line, (full of words), and stick that variable like so:
$variable.<victim>.com and it could simply do wget and stream edit the output with "grep, sed awk" to show you only live subdomains. etc.
try using the host command to enumerate data about the DNS servers used as well.

hope that helps.
<3 Trev.

[MattGSX]

You think I'd ever pay the $20? I just pulled a Google Commando and did a search for what the OP was looking for. That was one of the top results. I took a look, verified that it worked, and posted it.

[jx]

http://www.netcraft.com

[z3wb]

domaintools.com . Run a domain WhoIs on the site to give you the host an owner. Running a standard WhoIs on the parent company should give you all listed domains. For an additional $20, you can also get all domains hosted by the host.

Is this what you're looking for?

I once dox'd someone with that. He was ran a website a few years back, and I asked my friend who has a paid membership to give me one of the archived whois records, and what do you know, his full information was right there, including home address and phone number. Even though he cancelled the domain, his information was, and still is available on all kinds of websites. Hopefully, one day, they won't require a paid membership to view their archived whois records, and we'll have free access to all the dox we can handle.

[Zazen]

write a perl script to brute it .

Surely someone out there has already written a nice tool for this? Is there none?

[Chartreuse]

I have written a perl script that will brute-force any part of a web address.
It takes a url in this form: http://*.somesite.com/ where the asterisk can be put in any part of the web address.
It requires a word list with one word on each line.

If anyone wants the script or help work on it I can post it here.

Chartreuse.

[Woofcat]

If their name servers are poorly configured you can do host -l domain nameserver

might get a list. care to disclose target?

[Tachyon]

domaintools.com . Run a domain WhoIs on the site to give you the host an owner. Running a standard WhoIs on the parent company should give you all listed domains. For an additional $20, you can also get all domains hosted by the host.

Is this what you're looking for?

I once dox'd someone with that. He was ran a website a few years back, and I asked my friend who has a paid membership to give me one of the archived whois records, and what do you know, his full information was right there, including home address and phone number. Even though he cancelled the domain, his information was, and still is available on all kinds of websites. Hopefully, one day, they won't require a paid membership to view their archived whois records, and we'll have free access to all the dox we can handle.

Was that information valid? I've run websites registered with bullshit names before.

[MattGSX]

the ones I tried were, but mine were businesses, so there is some amount of motivation to not use fictitious information. I'm pretty sure the site gets the information from the domain registrar (if the domain was independently registered), as well as the web hosting company. When I WhoIs'ed myself, I got a set of "personal" information from when I registered my domain, as well as the company info from when I registered a hosting acct with another company. If this information is bullshit for both, then the information that comes back will be bullshit, unless your hosting/domain providers give out information like the IP used to register, or anything like that.