Wide scope Program – Recon part 1

Wide scope Program – Recon parte 1

A different approach to traditional recognition.

When a vulnerability search is carried out for a company, and not enough information is provided, it is difficult to have a map about all the assets that correspond to the company. In this post you can learn about different techniques to locate those targets that are not easily visible, for example targets that do not appear in the subdomain enumeration process.

A particular case is that you can count on the main domain name redacted.com. The pentester will always test with the subdomains of said domain, that is:



So, as you may already be imagining, this is not a guide oriented to subdomain enumeration, if not it has a much broader focus. We think that due to the extensiveness of subdomain enumeration we can better include it in a part 2, as well as OSINT techniques.

When Bug Bounty is used, most of the time the objectives are very specific, providing IP addresses, DNS and subdomains, so the scope of where to look for vulnerabilities is more limited and depends a lot on what information enumeration tools find, so that there is a high probability of finding duplicates. However, there are programs with much more general and extensive scope where the pentester can find out the objectives on their own, as long as they correspond to the company.

Acquisitions of a company

Crunch base

We can see the acquisitions of a company through the following web portal.


AT&T example.


Associated domains


Obtains information from Google Analytics and New Relic. Collect related domains and subdomains according to ad/analytics codes.



DomLink is a tool that uses a domain name to discover the organization name and associated email address and then find more associated domains.

Tool download: https://github.com/vysecurity/DomLink.

This is useful for when you need to discover more domains associated with the target.

AlienVault OTX


google dork

You can search through Google filters, websites that contain the name of the company in the footer of the page, for example:

"2019 Twitch Interactive, Inc."

Get IP addresses


In https://www.shodan.io we can perform IP address lookups using the name of an organization.


By clicking on any result we can obtain more information about the target. We can click on a particular port so that it can be consulted via a web browser.

Many companies acquire consecutive IP ranges, so if you know an IP address of a company's main portal or email server domain, try passing that IP to a CIDR to discover more IP addresses.


Get Shodan IPs via favicon

First we need to generate the hash value of a favicon image from one or more URLs. For this we will use the FavFreak tool located in the following repository https://github.com/devanshbatham/FavFreak.git.

Commands for installation using Linux:

$ git clone https://github.com/devanshbatham/FavFreak $ cd FavFreak $ virtualenv -p python3 env $ source env/bin/activate $ python3 -m pip install mmh3

Then save the URLS to a text file.

Run the following command to get the hash values of the favicons.

cat urls.txt | python3 favfreak.py 

Once the hash is obtained, use it in the following Shodan search filter.


This way you will get all the IP addresses that use that favicon image.

By registering with shodan you can get the ApiKey to use the shodan client via terminal.

Now start shodan with the ApiKey.

shodan init "APIKEY"
shodan search http.favicon.hash:2130917481 --fields ip_str,port --separator " " | awk '{print $1":"$2}' 

Now the previous command can be improved so that from the list of IP addresses, you can obtain the domain name using the hakrevdns tool https://github.com/hakluke/hakrevdns.

shodan search http.favicon.hash:2130917481 --fields ip_str,port --separator " " | awk '{print $1}' | hakrevdns -d

This is a good way to search for targets. You can get more information about shodan filters at the following link:



You can also use the Censys engine to look up IP addresses for a company name.



Finally we recommend the Chinese search engine ZoomEye.



There are many tools to get results from the WHOIS record. A good page to get results is the following:


Just change att.com to the domain you want to check.

Here you can see the name of the person who registered the domain, email and the name of the domain servers. You can also see when the domain was registered, when it expires, and when it was last updated, among other information.

Reverse WHOIS

We can perform reverse WHOIS lookups using an email, phone or company name.


We can also use the following page to search for domain names for a company name or email https://viewdns.info/reversewhois.

Finally, there is another resource to view domain history using an email or company name.



An autonomous system number (ASN) is a unique number assigned to an autonomous system (AS) by the Internet Assigned Numbers Authority (IANA).

Classless inter-domain addressing (CIDR or supernetting) is a way of combining multiple class C address ranges into a single network or path. This addressing method adds class C IP addresses.

CIDR enumeration with AMASS

For example, let's get the ASN and CIDR for Facebook using the Amass tool https://github.com/OWASP/Amass.

amass intel -org Facebook

With Amass we can also search by ASN.

amass intel-asn 63293

CIDR enumeration with Metabigor

project url https://github.com/j3ssie/metabigor.


echo testla | metabigor net --org -v

CIDR enumeration using whois.radb.net

Given the ASN 63293 we can obtain the CIDRs.

whois -h whois.radb.net -- '-i origin 63293' | grep -Eo "([0-9.]+){4}/[0-9]+" | sort -u

Now we can get the DNS for a particular CDIR using Amass.

amass intel-cidr amass intel -cidr

CIDR enumeration using Asnip

Asnip gets the ASN, CIDR and lists the IP addresses.

asnip -t starbucks.com.mx -p

DNS resolution

DNS resolution using hakrevdns

Project URL: https://github.com/hakluke/hakrevdns.

Given an IP we can get its DNS.

echo "" | hakrevdns -d

We can also list IP addresses from a CIDR and get their DNS.

prips | hakrevdns

Reverse NS, MX

Reverse lookups can be performed using the DNS server name.


The previous tool also allows you to perform reverse lookups of MX records.


  1. On the internet first time i saw this awesome article with best explanation and proper screenshot attached..I can't wait for part 2 when you are going to release ?

Leave a Reply

Your email address will not be published. Required fields are marked *