Background
There are times, more often than we’d like to admit, that we need to do asset discovery on our own organization (or, for you red teamers, other people’s!).
This is actually simpler than you’d think, as long as you know the domains associated with the organization.
Process
First, create a text file containing the domains you’re interested in, one per line.
Next, use OpenSSL to get a list of Subject Alternative Names (SANs) from any certificates present on the domains:
for i in `cat domains.txt`; do echo | openssl s_client -connect $i:443 2>/dev/null | openssl x509 -noout -text | grep DNS: | tr -d ' //' | tr -d 'DNS://' | sed -e 's/,/\n/g' >> fqdns.txt
This goes through the list of domains you provided one at a time, obtains the certificate from the webserver listening on the domain at port 443 (if it exists), looks for lines containing the string ‘DNS:’, removes spaces and the ‘DNS:’ tag, replaces any commas with linebreaks, and saves it to the file fqdns.txt
.
Now, get the IP address for each name you discovered:
for i in `cat fqdns.txt`; do host -W 1 -t A $i | sed -e 's/ has address /\,/' >> fqdns-with-ips.txt
This attempts to resolve each name you found and obtain the A resource record associated with it, and then saves the output to a file containing the full domain followed by its IP address, separated by a comma, one per line.
You now have a list of domains and their associated IP addresses, ready for port scanning, compliance testing, etc.