Written by: Idan Ron
Background
My story started a few months ago, when I performed a red team assessment for a major retail company. During the Open Source Reconnaissance (OSINT) phase, I reviewed the SSL certificates that included the client name. In these certificates I identified that the client owned its own top-level domain (TLD). A TLD is the last part of a domain name, the letters that come after the final dot. For example, in the domain name "google.com," the TLD is ".com". Companies such as Google own many TLDs, including .goog, .go, and .google. Google manages all of those TLDs and the domains underneath them (for example, "site.goog").
Owning TLDs is not uncommon. The following table lists various companies and the TLDs they own (for a full list of TLDs, see TLD-List or IANA List):
Company
TLD
.google, .go
Marriott
.marriott
American Express
.americanexpress, .amex
Barcelona
.Barcelona
Gucci
.gucci
Jaguar
.jaguar
Kia
.kia
Netflix
.netflix
The client’s TLD piqued my interest, so I used Google and GitHub to try to find tools that could provide me with a list of TLDs owned by an organization, or to search for domains under a specific TLD. To my surprise, I couldn’t find any.
You’re probably asking yourself, why should I care about TLDs? Well, one of my favorite bug bounty hunters, Jason Haddix, a person known within the hacker community for his OSINT abilities, once said during a Bug Hunter's Methodology Live Course, “For every apex domain you find you 4x your chance of hacking the target.” Basically, the more TLDs you discover that belong to a company, the more likely you are to find those juicy vulnerabilities.
And so, I sought to compile a list of TLDs owned by the client, which could lead to the identification of new domains that might not have been known and scanned.
The IssueAs I mentioned earlier, I couldn’t find a tool or a site that would provide me with a list of TLDs and the specific domains for each TLD.
Currently, all of the enumeration tools' focus is on subdomains. Subdomain enumeration is a big topic in the OSINT/Bug Bounty community, but domain enumeration based on TLD is not. There are projects such as Zip by Trickest (the repository was disabled due to DMCA takedown notice) that focus on brute-forcing a domain based on a specific TLD (in this case, the ".zip" TLD). The tool is actively brute-forcing domains based on a wordlist, and while it’s a good idea, I was wondering if there are other ways to do it passively that could lead to better results, similar to how passive subdomain enumeration is done.
Other sites, such as Internet Corporation for Assigned Names and Numbers (ICANN) or the Centralized Zone Data Service (CZDS), will allow you to perform a request to the TLD owner for those domain names. However, this would alert the customer to my actions, and thus is not a viable solution. The nature of Mandiant Red Team work requires remaining undetected.
So, I had to create something new. And this is how the new tool idea came to fruition.
After giving it some thought, I split the actions that needed to be taken to achieve the goal into two steps:
There are many tools that perform subdomain enumeration passively and actively. Passively could be via querying a variety of data sources for the subdomains. Actively could be done via brute-forcing using a wordlist. What if I use the same data sources that I do passively, but instead of searching for subdomains, I search for domains? Will the data sources support this?
One of the most common (and probably the most widely used) subdomain enumeration tools is Subfinder by ProjectDiscovery. I extracted the current data sources from Subfinder (this can be achieved by looking at the source code and/or using the "-list" flag). Then I manually checked each data source to confirm whether it would allow me to search for a domain instead of a subdomain.
It took a few days to experiment with all the APIs to determine if they allow the new regex or not, but I learned that some did, and some did not.
For example, crtsh, the SSL certificate's search application, did allow me to search for domains using the Postgres SQL server they expose publicly.
An example of how this could be done using crtsh is by connecting to the Postgres database with the following command: psql -t -h crt.sh -p 5432 -U guest certwatch. Installation of the psql utility is out of scope for this blog post, but instructions are available by performing a quick search. Executing the following query will search the TLD part for the domains you’re trying to identify:
SELECT ci.NAME_VALUE NAME_VALUE FROM certificate_identity ci WHERE ci.NAME_TYPE = 'dNSName' AND reverse(lower(ci.NAME_VALUE)) LIKE reverse(lower(‘%.TLD'));A similar approach can be used with Netlas, an OSINT company that allows users to register a new user and use an API to query domain information. Using Netlas and the following query, I was able to retrieve a list of domains based on a specific TLD:
curl -H 'X-API-Key: *****' https://app.netlas.io/api/domains/?q=*.google | jq .Figure 1: Enumeration of TLDs using Netlas
The following list shows the data sources that allowed me to perform a search query for domains, which ones didn’t allow me, and which ones I couldn’t check due to not having access to a paid API key:
This leads me to the part you all have been waiting for: the new tldfinder tool!
Tool ReleaseIn collaboration with ProjectDiscovery, I would like to announce tldfinder, a streamlined tool for discovering TLDs, associated subdomains, and related domain names.
Display tldfinder help to see all supported options:
$ ./tldfinder -hThe tool has three discovery modes:
It’s worth noting that DNS and TLD modes are active, meaning they perform DNS brute force. The Domain mode is passive, meaning there is no touching the domains, only querying from the data sources.
SourcesCurrently, at time of release, tldfinder queries the following APIs for information.
$ ./tldfinder -ls __ __ ______ __ / /_/ /__/ / _(_)__ ___/ /__ ____ / __/ / _ / _/ / _ \/ _ / -_) __/ \__/_/\_,_/_//_/_//_/\_,_/\__/_/ projectdiscovery.io [INF] Current list of available sources. [9] [INF] Sources marked with an * need key(s) or token(s) to work. [INF] You can modify /home/idanron/.config/tldfinder/provider-config.yaml to configure your keys/tokens. whoisxmlapi * bufferover * censys * dnsrepo * dnsx whoxy * netlas * waybackarchive crtshThe DNS and TLD discovery modes query all the sources (and perform fuzzing in TLD mode), while the Domain mode only queries dnsrepo, whoxy, or whoisxmlapi (as only those support reverse Whois).
Using DNS ModeThe following example uses tldfinder with the default DNS discovery mode option to search for domains that are part of the ".google" TLD.
$ ./tldfinder -d .google __ __ ______ __ / /_/ /__/ / _(_)__ ___/ /__ ____ / __/ / _ / _/ / _ \/ _ / -_) __/ \__/_/\_,_/_//_/_//_/\_,_/\__/_/ projectdiscovery.io [INF] Loading provider config from /home/idanron/.config/tldfinder/provider-config.yaml [INF] Enumerating domains for google partners.cloudskillsboost.google community.grow.google epp.registry-sandbox.google epp.registry.google www.registry.google registry-qa.google support.registry-qa.google citystpaul.google jira-testing.gss.google cloudskillsboost.google stg.cloudvmwareengine.google domains.google environment.google cloud.google design.google netbotzcircunvalacion.google app.google channel-app.google xc-8d1db3.dns.google whois.registry-sandbox.google epp.nic.google service.cloudvmwareengine.google dev.cloudvmwareengine.google travel.google lxc-wordpress.dns.google registry-sandbox.google www.registry-sandbox.google www.registry-qa.google lxc-gftcloud.dns.google lers.google test.cloud.gss.google www.cloudskillsboost.google grow.google registry.google 8888.google europe-west2-test.prodtest.cloudvmwareengine.google mail.ai.google dns64.dns.google earlydays.google privx.google whois.registry.google support.registry.google fx06b9f1.google whois.nic.google dns.google cloud.gss.google partner.cloudskillsboost.google support.registry-sandbox.google [INF] Found 48 domains for google in 637 milliseconds 994 microseconds Using TLD ModeIn the following example, I use tldfinder with the TLD discovery mode option to search for domains that have the string "google" in them; then I use dnsx (the aforementioned ProjectDiscovery tool) to perform fuzzing against the TLD part.
$ ./tldfinder -d google -dm tld __ __ ______ __ / /_/ /__/ / _(_)__ ___/ /__ ____ / __/ / _ / _/ / _ \/ _ / -_) __/ \__/_/\_,_/_//_/_//_/\_,_/\__/_/ projectdiscovery.io [INF] Loading provider config from /home/idanron/.config/tldfinder/provider-config.yaml [INF] Enumerating domains for google google.meme google.xn--fiq228c5hs google.ltda google.vote google.amsterdam google.hiphop google.sv google.boo google.cymru google.llc google.us google.xn--kprw13d google.christmas google.dad google.app google.monster google.rs [--snip--] [INF] Found 468 domains for google in 3 minutes 3 seconds* Please note that the results were redacted due to the length of the results.
Using Domain ModeThe following example uses tldfinder with the Domain discovery mode to search for domains that may be related to the input string ("projectdiscovery.io," in this case). This works by performing reverse DNS using one (or more) of the APIs allowed for this mode (see Sources section for more information).
$ ./tldfinder -d projectdiscovery.io -dm domain __ __ ______ __ / /_/ /__/ / _(_)__ ___/ /__ ____ / __/ / _ / _/ / _ \/ _ / -_) __/ \__/_/\_,_/_//_/_//_/\_,_/\__/_/ projectdiscovery.io [INF] Enumerating domains for projectdiscovery.io projectdiscovery.org projectdiscovery.in projectdiscoveryinc.org projectdiscoveryu.com projectdiscoverycaribbean.org nuclei.projectdiscovery.io projectdiscovery.tech projectdiscovery.org.uk projectdiscoveryofva.com projectdiscoveryou.com projectdiscovery.dev projectdiscovery.co.uk projectdiscoveryprograms.com projectdiscoverymovie.com dns.projectdiscovery.io projectdiscovery.com projectdiscovery.net projectdiscovery.io projectdiscoveryprograms.org docs.projectdiscovery.io [INF] Found 20 domains for projectdiscovery.io in 1 second 571 milliseconds How to Improve the ResultsAs always, it is recommended that you add your API keys to the provider-config.yaml file by creating the file (the file is also created automatically during the first run of the tool) in /home/{USER}/.config/tldfinder/provider-config.yaml on Linux or C:\Users\{USER}\.config\tldfinder\provider-config.yaml for Windows (replace {USER} with your username on the operation system).
The file format is as follows (replace the REDACTED with your API keys).
bufferover: ["REDACTED"] censys: [] dnsrepo: ["REDACTED"] netlas: ["REDACTED"] whoisxmlapi: ["REDACTED"] whoxy: [] AcknowledgmentI would like to thank ProjectDiscovery for the help and support in creating this tool!
A ransomware group known as RansomHub has been found deploying a new tool designed to disable endpoint detection and response (EDR) systems. This tool, EDRKillShifter, represents a significant advancement in the tactics used by cybercriminals to bypass security measures and execute ransomware attacks. Although a recent attack using this tool was thwarted, the discovery underscores […]
The post Ransomware Group Added a New EDR Killer Tool to their arsenal appeared first on GBHackers on Security | #1 Globally Trusted Cyber Security News Platform.
There is an increased focus on how advances in artificial intelligence (AI) and machine learning (ML) can negatively impact network security.
The post How to Maximize Network Security With AI and ML appeared first on Security Boulevard.
A recent Digital Forensics and Incident Response (DFIR) report has uncovered various sophisticated tools threat actors employ to bypass major security defenses. These tools have been found to effectively circumvent protections offered by popular antivirus programs such as Windows Defender and Malwarebytes. The report highlights the alarming capability of these tools to delete backups and […]
The post New Threat Actors Tools Found to be Bypassed Antivirus & Delete Backups appeared first on Cyber Security News.
Cybersecurity researchers have uncovered a sophisticated malspam campaign targeting unsuspecting users through email and phone calls. Attackers are leveraging popular platforms like AnyDesk and Microsoft Teams to gain unauthorized access to victims’ computers, raising alarms about cybercriminals’ evolving tactics. The Attack Methodology The campaign begins with an email bombardment, commonly referred to as an “email […]
The post News Malspam Attacks AnyDesk and Microsoft Teams appeared first on GBHackers on Security | #1 Globally Trusted Cyber Security News Platform.
DEF CON conference organizations are looking for volunteers to join a Franklin initiative to help secure critical infrastructure and school systems that lack the expertise required to defend themselves against cyberattacks.
The post DEF CON Calls for Cybersecurity Volunteers to Defend Critical Infrastructure appeared first on Security Boulevard.
Researchers have uncovered a new and previously undocumented malware platform named “Cyclops.” Written in the Go programming language, Cyclops has been linked to the notorious hacking group Charming Kitten, also known as APT 35. This malware platform enables operators to execute arbitrary commands on targeted systems, posing a severe threat to cybersecurity in the Middle […]
The post Undocumented Malware Platform “Cyclops” Lets Hackers to Write Arbitrary Commands on Windows appeared first on Cyber Security News.