There’s a recent promotion for DD Program and as always, I love doing recon. So I decided to write a quick write-up as to how to start doing it especially when the scope is wild. If you head to the Hackerone’s program’s page, the scope is defined like this:
It’s not like usual in-scope domains, e.g. domain.tld it’s like hey anything under com TLD is for us. It’s a bit tricky here and you can’t just use common tools like Subfinder to get the best result as it would cause errors on some of providers which Subfinder includes.
But let’s be patient and see what it returns in the end, thanks to crtsh and other providers, Subfinder gives us 27929 subdomains in total.
We can now grasp what kind of domains we are looking at, for example, navy.mil, af.mil, army.mil, and so on. We now want to grab all unique second-level domains available to us for further recon. Let’s grab them with the below command:
cat mil.subs | awk -v FS=. '{print $(NF-1)}' | sort -u
But as you notice, there are a couple of second-level domains that can’t be valid, like [email protected] due to having @ character. We can remove them from the list with the command below. (we can skip this part and resolve them straightforward)
cat mil.subs | awk -v FS=. '{print $(NF-1)}' | grep -v @ | sort -u
We have a proper list of SLDs now, let’s append the .mil word again.
cat sorted.mil.subs | awk {'print $1".mil"'}
Before giving the list to Subfinder, we gotta resolve them first to avoid wasting extra time or any errors. Let’s run a common tool dnsx to weed the list out.
As it’s shown, there are 57 domain resolved. It’s supposed to be more, isn’t it? I started thinking here, I run a dig command on army.mil and there was no A record. I extracted name servers:
ns02.army.mil ns01.army.mil
Which do not resolve many domain. I used a different approach here, run whois command, from the result:
nserver: CON1.NIPR.MIL 199.252.157.234 2608:0140:000c:0157:0000:0000:0000:0234 nserver: CON2.NIPR.MIL 199.252.162.234 2608:0120:000c:0162:0000:0000:0000:0234 nserver: EUR1.NIPR.MIL 199.252.154.234 2608:4122:0002:0154:0000:0000:0000:0234 nserver: EUR2.NIPR.MIL 199.252.143.234 2608:4163:0001:0143:0000:0000:0000:0234 nserver: PAC1.NIPR.MIL 199.252.180.234 2608:c184:0001:0180:0000:0000:0000:0234 nserver: PAC2.NIPR.MIL 199.252.155.234 2608:c144:0001:0155:0000:0000:0000:0234
I used the IP as NS and tried name resolution again:
The result increased to 210 compared with default NS, we can now use Subfinder iterating through the list (I assume all domains under mil TLD belong to DoD but you can verify them via Whois or DoD website itself before handing the result to the other tools.)
Anyways, running WatchTower (my machine for recon and other stuff) with the given list returned me nearly 500k subdomains.
That’s a huge leap from 29k domains of Subfinder’s output.
Thanks for reading. That was just a quick recon for DoD promotion and is not perfect but a good start to hunt on DoD assets.
You can start doing next steps and don’t just rely on passive recon, I will leave here a quick note to get ideas. (I may update the post in near future)
- Don’t forget DNS brute! grab a subdomain wordlist like Assetnote 2m subs (link) to find more SLDs.
- Look up for third and fourth level domains e.g.
*.test.army.milYou can repeat above steps on those Wildcards too. - Reverse whois domains having
DoD Network Information Centeras their organisation.
etc.
Great article.
What is this WatchTower tool that is being referenced?
Super curious 🙂
Thanks 4 nice article as blog