Horizontal domain correlation

Slack Group

Before we get started I have started a slack group dedicated to hacking. We welcome everyone from beginner to advanced to join. I will be on everyday answer questions, doing CTFs, and talking about cool hacks. If you enjoy hacking and are looking for like minded people join below:

NEW Hacking Group Slack Channel

Introduction

Im a big fan of @0xpatrik and his reconnaissance methodology. In one of his blogs he talks about horizontal and vertical domain correlation. Most people focus on subdomain enumeration AKA vertical domain correlation but they skip out on the other half. If your dealing with an asset that allows you to go after all domains, acquisitions, and everything else then you will need to make use of horizontal correlation techniques.

Subsidaries (Google)

A subsidiary is the child of a parent company. So if we look at Facebook they would be the parent company of Instagram because Facebook owns Instagram. Whatsapp would also be a subsidiary of Facebook for the same reason.

A company can control several child companies and those child companies can have children as well, so you see how things can start to get complicated for large organizations. Depending on the scope of your bugbounty they may allow you to go after any company they have acquired, which means all their child companies become fair game.

There are a few techniques to finding subsidiaries of a company and ill show you a few. The first and easiest way is to simply use Google. With a couple magic words Google will happily supply this data to you.

  • companyName subsidaries

As you can see in the above image we have a list of child companies belonging to Facebook.

  • Whatsapp
  • Onavo
  • LiveRail
  • Oculus VR
  • PrivateCore
  • etc

Clicking on the company in google will perform a search on that company. Typically the companies domain will be the first result returned. As shown below I clicked on Oculus and we can see the companies domain returned as the first result.

So, you would do that for each company building a list of companies and their associated domain, I typically just store this in a CSV file.

Subsidaries (Paid Tools)

Searching for subsidiaries via Google will get the job done but if you are doing this professionally you will want to use something a little better. Their are a few companies out there who do nothing but track acquisitions. Using their databases we can easily query everything we want, you can also set up alerts to get notified when a company acquires a new domain which is very useful for pouncing on a target before anyone else.

In this tutorial im going to use Crunchbase but Owler is just as good. First thing to note is that these services only allow you to perform 1-5 searchers before they require you to pay. However, clearing your cookies or using incognito mode will get around these limits if you are performing large amounts of searches.

According to Crunchbase Facebook has 85 subsidiaries and thats not including the childrens child domains so the list is probably bigger. However, you must sign up and pay for an account to view the full list. If your doing this professionally this would be the preferred method as it eases the whole process. There is also an API so you could automate the whole thing!

Reverse Whois

As may you know anytime you sign up for a domain with out whois guard your personal information will be exposed to the world. This includes things such as your email, company, name, and a bunch of other private information.

By searching historical whois records we can find domains companies have registered. For example if the email address “tj@facemi.com” registered the domain facebook.com and forgot to enable whois privacy their email will be exposed to the world. We can then lookup all other domains that registered using the same email address.

There are a couple of free search engines people use to find this information.

The sites might be free but they do limit the amount of result you receive. Again if your doing this professionally you may want to go the paid route. Most of these service buy their database from the same guys and these guys offer a paid search engine which is updated daily. If you want the entire whois database you can buy that as well and setup your own service.

If your using the paid version the first thing you need to do is perform a historical whois search. Here your looking for any email addresses that might be exposed. In our case we found a few but the first one is “domain@fb.com”.

Once you have the whois email you can perform a reverse whois search to find all other domains with the same email in their whois history.

As you can see there are 8,169 results returned. The first few domains are “facebook.net” and “fbcdn.net” which are both owned by facebook.

So, you would do this for every subsidiary belonging to a company and then you can proceed to the subdomain enumeration phase and everything else.

Conclusion

Most people spend all their time doing subdomain enumeration and other vertical domain correlation techniques but they forget about horizontal correlation. There are a few very large companies which have open scopes and allow you to target all subsidiaries. First you want to find all the companies subsidiaries using Google or Crunchbase. Then you want to find all domains that company has purchased using reverse whois techniques. After that you should have a complete list of all root domains belonging to tour target and you can proceed to the vertical correlation phase.

Leave a Reply

Your email address will not be published. Required fields are marked *