Determining the digital footprint of an organization’s Internet-facing systems allows security teams to see which of their digital assets attackers could abuse.
A significant part of this is their domain attack surface, which consists of domains and subdomains that contain their company name. The organization could own these assets, such as news[.]yahoo[.]com, which can be attributed to the site’s owner (Oath, Inc, according to its WHOIS records).
On the other hand, you may find subdomains in your potential attack surface that could have been created by other entities. These can be referred to as “non-attributable subdomains” since their WHOIS records do not match your company’s publicly available WHOIS data.
Non-attributable subdomains exist for both legitimate and illegitimate reasons. For instance, using third-party software could require an organization to use the provider’s subdomain. However, malicious actors could also use subdomains to imitate a brand or company in their campaigns. Whatever the case, mapping out an organization’s domain footprint aids in defending against cyber attacks. Here are some subdomain finder tools that can help.
Find a Company’s Subdomains with a Subdomain Lookup Tool
An organization may have several subdomains dedicated to different purposes, such as hosting a blog (blog[.]example[.]com) or shop (shop[.]example[.]com), or offering different versions of their site to other visitors from various locations (fr[.]example[.]com and es[.]example[.]com).
You may think that all organizations have all their subdomains under control, but several forget about some, making their networks vulnerable to subdomain takeovers. Once threat actors take control of a subdomain, they may be able to host any content they want or inject malicious codes.
To make sure that you don’t have vulnerable subdomains on your domain attack surface, you can use Subdomains Lookup to conduct a thorough inventory. For yahoo[.]com, the subdomain lookup tool returned 10,000 subdomains.
CIBC, on the other hand, had 994 subdomains.
An organization’s domain attack surface size depends on several aspects, such as the nature of their business and how many Internet-facing systems they maintain. Yahoo, as an Internet and technology company, would naturally tend to have more Internet-facing systems compared to a bank. Regardless of the size, however, what’s essential is that domain footprinting is possible and organizations find subdomains relevant to them.
Subdomain Lookup Consumption Models
Subdomains Lookup is available as a web-based tool that allows you to share reports via custom URLs. An API version for Splunk is also available, allowing developers to integrate the Subdomains Lookup tool into their script.
Both versions of the subdomain finder glean data from Subdomains Database, which is also available for download. It contains more than 2.3 billion subdomains across 2,864 top-level domains (TLDs).
Uncover Non-Attributable Subdomains with a Domains and Subdomains Discovery Tool
As mentioned earlier, organizations also need to map non-attributable subdomains as part of their digital footprint. Again, these are subdomains that could have been created by different entities but contain their brand or company name. A few examples returned by the Domains and Subdomains Discovery tool are:
- www[.]yahoo[.]yahoo[.]ndhs[.]edu[.]bd
- www[.]yahoo-yahoo[.]officee-setup[.]com
- yahoo-yahoonumber[.]norton-helpline[.]com
- yahoosupportyahoo[.]customercare-email[.]com
Aside from not using yahoo[.]com as the root domain, these subdomains’ WHOIS records are either privacy-protected or unavailable. Non-attributable subdomains could be used to imitate a particular brand or company. They are as much part of the spoofed organization’s domain attack surface as they are of the users’.
In our example, yahoosupportyahoo[.]customercare-email[.]com could be used to send emails that supposedly come from Yahoo’s customer service department. Once recipients click the link or download the attached file, the attackers can infiltrate their network.
Domains and Subdomains Discovery Consumption Models
Domains and Subdomains Discovery is available as a web-based lookup tool and an API. The subdomain finder is also part of WhoisXML API’s Domain Research Suite.
---
Domain footprinting is crucial to an organization’s cybersecurity mainly because it allows them to see how attackers exploit their digital assets. These attackers also do domain footprinting as part of their reconnaissance, so organizations would not be too far off by doing the same.