enumerate

Enumerate

A tool for inspecting subdomains for IP ownership information

enumerate an OSINT tool which takes a list of domains (like that produced by sublist3r) and producing an sqlite3 database mapping the domains to the first found host IP for that domain and the announced route that the IP belongs to along with ASN and the ASN name.

This is helpful for determining what network services and hosting providers a given organization is using.

Installation

go install -v github.com/oholiab/enumerate

Non-golang dependencies

You will need the whois binary installed and in your $PATH and sqlite3.

Usage

With $GOBIN in your $PATH:

$ enumerate -h
Usage of enumerate:
  -db string
        path to output database (default "./enumerate.db")
  -list string
        path to domain list (default "./enumerate.txt")
$ enumerate -list somelist.txt -db domains.db

Then you can query your database using sqlite3 to do further investigatory work, for example:

select name, owner, asn from records 
  inner join routes on records.route_id = routes.id 
  where owner != "Amazon";

Will show you all of the domains and which AS name and number they belong to, excluding all IPs owned by Amazon.

Limitations

This is a pretty dumb tool which will always take the first of multiple records for any given lookup - so for instance if whois returns multiple route advertisements, you'll only ever get one.

Additionally, some IP addresses won't resolve using the RADB whois lookup that enumerate uses - domains which resolve to an IP correctly but fail to return whois data will be listed as failed at the end.

Largely though, the point of the tool is enumeration of the ASs for a given domain, so this isn't too much of a problem - treat it as a jumping off point for further investigation.

Hacking

I've vendored dependencies using dep. With it installed:

git clone https://github.com/oholiab/enumerate
cd enumerate
make deps