So you were said that everything belonging to some company is inside the scope, and you want to figure out what this company actually owns.
sslfilters to search for other assets (the
ssltrick can be done recursively).
Ok, at this point you should know all the companies inside the scope. Lets figure out how to find their assets.
We know all the companies inside the scope and their assets, it's time to find the domains inside the scope.
org:"Tesla, Inc."Check the found hosts for new unexpected domains in the TLS certificate.
We know all the companies inside the scope, all the assets of each company and all the domains related to the companies.
We have found all the companies and their assets and we know IP ranges, domains and subdomains inside the scope. It's time to search for web servers.
Congratulations! At this point you have already perform all the basic enumeration. Yes, it's basic because a lot more enumeration can be done (will see more tricks later). Do you know that the BBs experts recommends to spend only 10-15mins in this phase? But don't worry, one you have practice you will do this even faster than that.
Congratulations! The testing has finished! I hope you have find some vulnerabilities.