So you were said that everything belonging to some company is inside the scope, and you want to figure out what this company actually owns.
sslfilters to search for other assets (the
ssltrick can be done recursively).
Ok, at this point you should know all the companies inside the scope. Lets figure out how to find their assets.
We know all the companies inside the scope and their assets, it's time to find the domains inside the scope.
shodan search http.html:"Copyright string"
org:"Tesla, Inc."Check the found hosts for new unexpected domains in the TLS certificate.
We know all the companies inside the scope, all the assets of each company and all the domains related to the companies.
massdns, written in go, that allows you to enumerate valid subdomains using active bruteforce, as well as resolve subdomains with wildcard handling and easy input-output support.
We have found all the companies and their assets and we know IP ranges, domains and subdomains inside the scope. It's time to search for web servers.
"crypto", "wallet", "dao", "<domain_name>", <"subdomain_names">.
Congratulations! At this point you have already perform all the basic enumeration. Yes, it's basic because a lot more enumeration can be done (will see more tricks later).