Introduction

I’m a big fan of @0xpatrik and his reconnaissance methodology for IT asset discovery. In one of his blog posts, he talks about horizontal and vertical domain correlation. Most people focus on subdomain enumeration (aka vertical domain correlation), but they skip out on the other half. If you're dealing with an asset that allows you, as a pentester or bug bounty hunter, to do recon on all domains, acquisitions, and everything else, then you will need to make use of horizontal correlation techniques.

Subsidiaries (Google)

A subsidiary is the child of a parent company. So if we look at Facebook, it would be the parent company of Instagram since Facebook owns Instagram, its subsidiary. Whatsapp would also be a subsidiary of Facebook for the same reason.

A company can control several child companies, which can have children as well, so IT asset discovery can start to get complicated for large organizations. Depending on the scope of your bug bounty, a parent company may allow you to go after any company they have acquired, which means all their child companies become fair game.

This article lists a few techniques to find subsidiaries of a company. The first and easiest way is to simply use Google. With a couple of magic words, Google will happily supply this data to you. Simply type this into the search box:

• CompanyName subsidiaries

As you can see in the above image, we now have a list of child companies belonging to Facebook.

• Whatsapp
• Onavo
• LiveRail
• Oculus VR
• PrivateCore
• etc.

Clicking on the company in Google will perform a search on that company. Typically, the company's domain will be the first result returned. As shown below, I clicked on Oculus and we can see the company's domain returned as the first result.

So, you would do that for each company, building a list of companies and their associated domain. I typically just store this in a CSV file.

Subsidiaries (Paid Tools)

Searching for subsidiaries via Google will get the job done pretty well, but if you’re doing IT asset discovery professionally, you will want to use something a little more sophisticated. There are a few companies out there that do nothing but track acquisitions (listed below). Using their databases, you can easily query everything you want. You can even set up alerts to get notified when a company acquires a new domain, which is very useful for pouncing on a target before anyone else.

• https://www.crunchbase.com/
• https://corp.owler.com/

In this tutorial, I’m going to use Crunchbase, but Owler is just as good. First thing to note is that these services only allow you to perform 1-5 searches before they require you to pay. However, clearing your cookies or using incognito mode will get around these limits if you are performing a large amount of searches.

According to Crunchbase, Facebook has 85 subsidiaries and that's not including its children’s child domains, so the list is probably longer. However, you must sign up and pay for an account to view the full list. If you're doing this professionally, this would be the preferred method as it eases the process. There is also an API, so you could automate the whole thing!

Reverse Whois

As may you know, anytime you sign up for a domain without WhoisGuard, your personal information will be exposed to the world. This includes data like your name, email address, company, and other private information.

By searching historical Whois records, we can find domains companies have registered. For example if the email address “tj@facemi.com” registered the domain facebook.com and forgot to enable whois privacy, their email will be exposed to the world. We can then look up all other domains that were registered using the same email address.

There are a couple of free search engines people use to find this information:

• https://viewdns.info/reversewhois
• https://domaineye.com/

These two sites might be free, but they do limit the number of results you receive. Again, if you're doing this professionally, you may want to go the paid route. Most of these services buy their databases from the same guys, who offer a paid search engine which is updated daily. If you want the entire Whois database you can buy that as well and set up your own service, like these two sites did:

• https://www.whoisxmlapi.com/
• https://www.whoxy.com/

If you're using the paid version, the first thing you need to do is perform a historical Whois search. Here, you're looking for any email addresses that might be exposed. In our case, we found a few, with the first one being “domain@fb.com.”

Once you have the Whois email, you can perform a reverse Whois search to find all the other domains that have the same email in their Whois history.

In this example, there are 8,169 results returned. The first few domains are “facebook.net” and “fbcdn.net,” which are both owned by Facebook.

So, you would do this for every subsidiary belonging to a company and then you can proceed to the subdomain enumeration phase and everything else.

Conclusion

Most people spend all their IT asset discovery time doing subdomain enumeration and other vertical domain correlation techniques but they forget about horizontal correlation. There are a few very large companies which have open scopes and allow you to target all subsidiaries. First, find all the company’s subsidiaries using Google or Crunchbase. Then, find all domains that company has purchased using reverse Whois techniques. After that, you should have a complete list of all root domains belonging to your target and you can proceed to the vertical correlation phase.

Or...Automate IT Asset Discovery & Tracking

If you don’t have time to hunt and peck for every domain, every subsidiary, and every child’s child company, you can automate the entire process. Red Sentry’s continuous external and cloud pentesting platform also automatically does IT asset discovery and tracking. To learn more, just fill out the form below.