Passive DNS services and external PDNS sources are used to map IPs to domain names and hosting infrastructure, enabling reconnaissance beyond simple IP-based checks. The article walks through multiple tools and APIs (DNSDumpster, Circl.lu, Umbrella Investigate, Shodan, and more) and shows practical commands and examples to uncover domains, hostnames, and associated assets from a given IP. #PassiveDNS #DNSDumpster #CirclLu #Shodan #Umbrella #Sans #Incapsula
Keypoints
- Certificate-based DNS discovery can reveal DNS names, but wildcard certificates can limit usefulness when SANs are broad.
- Passive DNS enables reverse-lookups by IP to uncover domains hosted on or associated with an IP address.
- Public PDNS and DNS information services (DNS Dumpster, Circl.lu) provide accessible APIs and data to enrich reconnaissance.
- Shodan offers a “tell me about that host” endpoint that returns domains, ports, and other context about a host/IP.
- Historic DNS data helps discover hosts that have moved or sites that persisted long after their initial use.
- Umbrella Investigate PDNS data can yield extensive hostname/domain mappings and even historic associations for an IP.
- Many organizations expose a large surface of old or forgotten domains on shared infrastructure, making old marketing or demo sites discoverable.
- The author shares scripts and notes that free trials of these services can be leveraged for reconnaissance, with GitHub resources for further automation.
MITRE Techniques
- [T1590] Gather Victim Network Information – Passive DNS data and reverse-IP lookups are used to map an IP to domains and hosted infrastructure. Quote: “Passive DNS is the thing that was supposed to collect this for us, and here begins the journey. These services track DNS requests over the internet and keep a database, so you can slice and dice that data – in this case, we want to do reverse-lookups by IP”
- [T1046] Network Service Scanning – Active port scanning and discovery using Nmap/Masscan to identify open ports and services. Quote: “nmap -p -Pn –open -sT –script ssl-cert -oA certs.out”
- [T1082] System Information Discovery – External service outputs (e.g., Shodan) revealing city, region, and ports, enriching target context. Quote: “This gets you a great list of DNS names, but also ports to assess.”
- [T1583] Acquire Infrastructure – Using PDNS/data sources like Circl.lu, DNSDumpster, and Umbrella to enumerate domains/hosts that may be in scope. Quote: “Cisco Umbrella is the same idea… they’ve got a very high fidelity data source they can use to populate their database.”
Indicators of Compromise
- [IP] 45.60.31.34 – Test IP used for demonstration, revealing multiple hostnames and domains via PDNS lookups.
- [ASN] AS19551 – Incapsula Inc (associated with the IP in examples).
- [Domains] isc.sans.edu, sans.org, imperva.com, cio.org, cyberaces.org, sans.edu, giac.net, giac.org, cybercenters.org, cyberfoundations.org, etc. – Domains observed in PDNS/umbrella outputs.
- [Hostnames] cio.org, cyberaces.org, sans.co, sans.org, giac.net, sans.edu, isc.sans.edu, cybercenters.org – Hostnames returned by PDNS/Umbrella data.
- [Ports] 25, 443, 80 (and a long list including other ports) – Open ports reported in Shodan/Umbrella outputs.
- [URLs] https://api.hackertarget.com/reverseiplookup/?q=45.60.31.34, https://investigate.api.umbrella.com/whois/nameservers/ns27.worldnic.com?limit=600 -H ‘Authorization: Bearer ‘ -H ‘Content-Type: application/json’ – etc. – API endpoints shown for data gathering.
- [Certificate] commonName=imperva.com; SAN includes DNS:*.cyberaces.org, DNS:*.sans.edu, DNS:*.cyberfoundations.org, DNS:sans.org, DNS:isc.sans.edu – Certificate data referenced in the article.
Read more: https://isc.sans.edu/diary/28596