This article details the creation of tldfinder, a tool to enumerate TLDs and related domains discovered during a red team engagement. It explains why TLD discovery is underserved, how data sources and APIs are used, and collaboration with ProjectDiscovery.
Keypoints
- Red team assessment for a major retail company identified that the client owned its own top-level domains (TLDs) during OSINT.
- TLD enumeration is underexplored compared to subdomain enumeration in current tooling.
- Introduced tldfinder, a tool with three discovery modes: DNS, TLD, and Domain.
- tldfinder queries multiple data sources via APIs to discover domains and associated TLDs, including some sources requiring API keys.
- Demonstrated practical data sources (e.g., crtsh, Netlas) and discussed which sources support domain enumeration vs. only other features.
- Released tldfinder in collaboration with ProjectDiscovery and highlighted how to configure provider keys for better results.
MITRE Techniques
- [T1593] OSINT Collection β Used open-source reconnaissance to gather information about TLDs. βUtilized open-source reconnaissance to gather information about TLDs.β
- [T1483] Domain Generation Algorithms β Explored methods for domain enumeration based on TLDs. βExplored methods for domain enumeration based on TLDs.β
- [T1071] Application Layer Protocol β Used APIs to query for domain information. βUsed APIs to query for domain information.β
Indicators of Compromise
- [Domain] Discovery results from DNS/TLD enumeration β google, partners.cloudskillsboost.google, and 46 more
- [TLD] Observed TLDs referenced in examples β .google, .xn--fiq228c5hs
Read more: https://cloud.google.com/blog/topics/threat-intelligence/enumerating-private-tlds/