I wanted to know how can I get info on what sites are owned by a certain company. I need it for bug bounty programs.
For example, how can I find what sites are owned by PayPal, like what sites have PayPal in it's web address etc...
I wanted to know how can I get info on what sites are owned by a certain company. I need it for bug bounty programs.
For example, how can I find what sites are owned by PayPal, like what sites have PayPal in it's web address etc...
I find BGP Toolkit from Hurricane Electrics Internet Services quite useful for providing insight into any CIDR
range, registrants
, Who-Is
info, IP
and DNS
info, IRR
, assigned IPv4
and IPv6
CIDR
ranges for individual ASN
s, you name it. All data presented is also nicely linked to each-other for our convenience.
For example, searching by term PayPal
will result in this table:
AS17012 PayPal, Inc.
64.4.248.0/22 PayPal, Inc.
64.4.246.0/24 PayPal, Inc.
64.4.244.0/22 PayPal, Inc.
64.4.240.0/22 PayPal, Inc.
216.136.236.0/22 PayPal, Inc.
173.0.94.0/23 PayPal, Inc.
173.0.88.0/22 PayPal, Inc.
173.0.84.0/22 PayPal, Inc.
173.0.80.0/22 PayPal, Inc.
173.0.80.0/20 PayPal, Inc.
which gives you a single ASN
and a few assigned CIDR ranges
that are registered to PayPal, Inc. These items in the list link to their individual info pages. Following the AS17012, for example, displays all kinds of information pertaining to this ASN
, among others the list of Prefixes
(in our case IPv4
CIDR ranges
).
What is HE?
HE is one of the largest Internet backbone providers and can thus collate loads of infrastructure related information like the ones mentioned. You can search their database by registrant names
, CIDR
ranges, ASNs
, IP addresses
, and so on, all through the same input box and it will display either a list of possible matches, ordered by relevance and network range, or display a single match details when only one record is found. They also include a lot of various network related reports and statistics.
This is from their About page:
Hurricane Electric operates its own global IPv4 and IPv6 network and is considered the largest IPv6 backbone in the world as measured by number of networks connected... (and so on)
Also interesting (and relevant) to read is the page about their network. It gives a bit of insight into how they can collect all the data available through their search.
Of course, I'm not saying that HE is the only place to go. There are lots of other tools available, some paid and some more or less free to use and query. HE's one is however one I most frequently rely upon and I thought you might find it useful as well.
What do I use this information for:
I mostly use this information to compile blacklists
and other network filters
for my services. I find it especially useful to track down hosting companies and their CIDR ranges
to include in content-theft
, malware
, spyware
, and related policy blocks (in essence bad neighborhoods
) when blocking by reverse DNS look-ups
(and/or matching rDNS
results with forward DNS look-up
tables) wouldn't cut it.
Usage example:
To answer your example directly, collating information from HE gives us this list of A record
domains operated by PayPal, Inc:
64.4.248.105 icppharm.com
173.0.84.191 paypal.fi, paypal.de, paypal.pt
173.0.88.180 paypal.mobi
173.0.89.113 www.paypal.de
173.0.89.161 www.paypal.com.pt
173.0.82.143 www.paypal-labs.com
173.0.82.144 www.paypallabs.com
173.0.82.145 www.thepaypalblog.com
173.0.82.156 paypal.me
173.0.82.157 paypal-portal.com
(limited to include only A records
otherwise the list would stretch several pages long. This page alone, from one of several CIDR
records, lists hundreds of domains.)
All relevant DNS records for our example can be found on pages 64.4.248.0/22, 173.0.94.0/23, 173.0.88.0/22, 173.0.84.0/22, 173.0.80.0/22, and 173.0.80.0/22
Some pages duplicate information from others as they're providing information on a sub-range of a larger range (smaller mask), like for example an IP range 173.0.80.0/22 would already be included in a 173.0.80.0/20 IP range.
What sites have 'paypal' in it's web address?
I'm going to make an attempt on answering this part of your question, however (as you probably can imagine) my answer can't be as straight-forward, because there isn't a single list of all registered domain names available to public, at least not that I'm aware of. Here's what I'd do:
The www.who.is website provides a bit difficult to navigate or search through domains index. Where do they collate all this information from is beyond my knowledge, I can only suspect they query individual registrars' databases on a regular basis.
Anyway, if you navigate their pages a bit you'll soon discover that the lists are organized in alphabetical order and then by page numbers (static URLs to individual pages). I guess you (or a CP savvy friend) could write a small utility crawler that would parse all this information into a single table and then do your search on it. If that's agreeable to the website operators and within their TOS
isn't something I've researched. Honestly, probably not and your crawler could be banned sooner than it would be able to crawl all relevant pages. You would still end up having larger data set than any publicly available ones (that I know of) and that can be easily searched through by a common expression.
If you did this, you would soon discover tens of thousands (educated guess) of registered domain names that include 'paypal' keyword in it. Most, I gather, are actually parked domains, expired domains, and the most awful of the bunch - phishing locations trying to lure unsuspecting Internet users to their addresses by mimicking official PayPal domain names. For example, take a look at this page and search for 'paypal' in it. 1883 matches in a single page, and only God knows how many pages are actually relevant to our search without resorting to crawling and collating data of each individual index page. They can't possibly be all registered by PayPal, Inc.!
I hope that at least partially answers also your 'other' question.
Cheers!
I'm a big fan of Robtex. Share and enjoy.
Robtex is a service that does forward and backward DNS and IP searches. You can search on a domain name, for example, and it will show give you information about: IP, IP Block, IP ownership, hosting servers, load balancing information, route mapping graphs, trace route latency information, AS numers and macros, DNS whois, DNS ownership, DNS reverse ownership, etc. You can also get information about if and where the domains are published on black lists IP records analysis, and more.
What you are looking for a is reverse Whois service. But most "reverse whois" tools you'll find online will allow you to lookup domains based on the administrator's email address, which may or may not be in the domain's whois record. Also, simply looking for the AS numbers will give limited results, as many companies don't have their own AS, and rely on their ISP/hosting provider.
The site NetworksDB (which I own and maintain) takes a different approach. Instead of looking at the whois databases for email addresses, it looks at the "netblocks", that is, the ranges of IP addresses owned by organisations. This approach allows you to lookup the company name instead of the email address.
Once you have the IP address ranges for a given company, you can use the tool to discover domain names hosted on their IP addresses. To take your example, PayPal, you can lookup their IP addresses here.
Then, if you use the "Domains in this network" link for each result, you'll eventually find all the domains hosted in their networks. For example, their first network contains around 150 domains at this time:
https://networksdb.io/domains-in-network/173.0.80.0/173.0.95.255
Just for the fun, here is how to use the command line to extract links to each of the company's networks, then download the list of domains in each network:
$ curl -s https://networksdb.io/ip-addresses-of/paypal-inc | grep -oP "/domains-in-network/[0-9]+.[0-9]+.[0-9]+.[0-9]+/[0-9]+.[0-9]+.[0-9]+.[0-9]+" | while read net; do curl -s https://networksdb.io/$net | sed -n 's/.*href="http:\/\/\([^"]*\).*/\1/p'; done
[snip]
paypalbenefits.com
paypalgivingfund.org
paypalobjects.com
paypal-australia.com.au
paypal-business.co.uk
paypal-business.com.au
paypal-businesscenter.com
paypal-communications.com
paypal-deutschland.de
paypal-donations.co.uk
paypal-donations.com
paypal-globalshops.com
paypal-information.com
paypal-knowledge-test.com
paypal-knowledge.com
paypal-latam.com
paypal-marketing.ca
paypal-marketing.co.uk
paypal-marketing.pl
paypal-media.com
paypal-mena.com
paypal-norge.no
[snip]