So you were said that everything belonging to some company is inside the scope, and you want to figure out what this company actually owns.
org
and ssl
filters to search for other assets (the ssl
trick can be done recursively).Ok, at this point you should know all the companies inside the scope. Lets figure out how to find their assets.
We know all the companies inside the scope and their assets, it's time to find the domains inside the scope.
org:"Tesla, Inc."
Check the found hosts for new unexpected domains in the TLS certificate.ssl:"Tesla Motors"
We know all the companies inside the scope, all the assets of each company and all the domains related to the companies.
We have found all the companies and their assets and we know IP ranges, domains and subdomains inside the scope. It's time to search for web servers.
Congratulations! At this point you have already perform all the basic enumeration. Yes, it's basic because a lot more enumeration can be done (will see more tricks later). Do you know that the BBs experts recommends to spend only 10-15mins in this phase? But don't worry, one you have practice you will do this even faster than that.
Congratulations! The testing has finished! I hope you have find some vulnerabilities.