How to Find Associated Domains and IP Neighbors with the SecurityTrails API™

It has long been argued that a carefully-planned initial OSINT strategy favors the outcome of the remaining engagement.

These early considerations apply to both small and large-scale projects, where experience from real-world applications dictates that penetration tests, and similar practices, benefit greatly from a coherent asset discovery phase. Decentralization and scaling are also making their way into mainstream implementations, with tools such as Axiom highlighting some of the best use case scenarios. This is the epitome of a “hunting playground” for hackers and the like, who are constantly striving to leverage as much information about their objective as possible.

In this blog post, we will learn how to find domain-specific information, in the form of associated domains and IP neighbors, using the SecurityTrails API™ as we expand our collective knowledge of the tool and its many capabilities. What’s most characteristic of this approach is that, with a handful of calls, we’ll have the ability to collect pertinent data that is both easily consumable and exceedingly accurate.

Let’s take a look.

What are associated domains and why they are important?

Finding associated domains linked to a specific target is central to the idea of extending the attack surface. Thus, its importance cannot be overstated given the fact that associated domains can expose a significant segment of ancillary infrastructure and actionable data. Bug bounty hunters’ romance with tacit associated domain listing and enumeration is an additional testimony to the zeitgeist—reinforcing (tongue in cheek) the overarching principle that says that you can’t attack what you can’t see.

As explained in “Host Discovery Tips for Bug Bounty Hunters,” mapping an organization’s network layout entails a conscientious effort to traverse every nook and cranny to define as many endpoints as possible, without having to resort to historical data that may otherwise be proven outdated. This also applies to techniques such as horizontal and vertical domain correlation where the intent is to search for any available subdomains and siblings corresponding to the apex.

Notwithstanding, when it comes to associated domains, not every enumeration tool out there is as comprehensive, recursively-speaking, as the SecurityTrails API™. Add to this the capability to integrate with popular SDKs and wrappers, such as NodeJS or Python, or with third-party platforms like Haktrails or Splunk, and suddenly you have a very capable tool at your disposal.

Importance of IP neighbors during reconnaissance phase

A similar narrative that spans the domain of asset enumeration techniques can be found in discovering neighboring IPs—in practice, this can be limited to finding IPs within the same range or subnet in which your target is located for the purpose of aggregating useful data such as competitors’ websites or even spamming artifacts. As is the case with associated domains, a quick review of the existing red team and bug bounty hunting literature indicates that perusing through these so-called IP breadcrumbs can be beneficial to the point of being able to identify additional targets of opportunity and similar interests.

In the recent past, SecurityTrails has showcased tools such as IP Explorer in an effort to combine intelligence of the surrounding hosts around a given address space. This kind of situational awareness preys on companies’ compounded inability to keep an accurate representation of their live environment, amassing an unknown collection of unpatched devices and security vulnerabilities outside the purview of traditional controls.

Discovering associated domains and IP neighbors with the SecurityTrails API™

Returning associated domains using the API is as simple as making a curl call as follows:

curl --request GET \ --url https://api.securitytrails.com/v1/domain/<domain_name>/associated \ --header 'APIKEY: <your_api_key_here>'

Let’s make this request using twitch.tv as our target domain, using Postman, and watch the results:

By default, results are limited to 2,000 for the free plan and to 10,000 for all paid subscriptions. In the browser, a set of typical associated domains will look like the below (notice the breaking down into groups in JSON format for readability purposes):

Following our previous discussion, finding neighboring IPs targets a specific need for detecting sites and other endpoints that may be of interest within a given scope.

Essentially, this feature allows you to explore nearby IP addresses by dividing the range into 16 groups—for instance, a /28 would be divided into sixteen /32 blocks or a /24 would be divided into sixteen /28 blocks.

Accomplishing this is as easy as making another curl call as follows:

curl --request GET \ --url https://api.securitytrails.com/v1/ips/nearby/8.8.8.8 \ --header 'APIKEY: <your_api_key_here>'

This time, we are looking for neighboring IPs of 8.8.8.8—perhaps Google’s best known public DNS server. A sample of the output in Postman looks as follows:

{ "endpoint": "/v1/ips/nearby/8.8.8.8", "blocks": [ { "sites": 7, "ports": [], "ip": "8.8.8.0/32", "hostnames": [ "h3.dimapro.cz", "test.gloriamscleaning.com", "test.og-it.com", "test.salbolanosdesign.com", "test.wisdomtrees.com" ], "active_egress": false }, { "sites": 22, "ports": [], "ip": "8.8.8.1/32", "hostnames": [ "check.test.airdns.org", "engelmeier.info", "expired86.namebrightdns.com", "facebook.freetcp.com", "kathrynmcevoy.com" ], "active_egress": false }, { "sites": 19, "ports": [], "ip": "8.8.8.10/32", "hostnames": [ "device2316454-4c98d1df-local.wd2go.com", "mail.moocouc.net", "test.blumvoxstudios.com", "test.buitink-technology.com", "test.farolfilmes.com.br" ], "active_egress": false ... ... ... { "sites": 89, "ports": [], "ip": "8.8.8.9/32", "hostnames": [ "4x114.com", "bd3432186c0d9e44.cdn.jiashule.com", "betterobots.com", "envydaisy.com", "ibookingvip.com" ], "active_egress": false } ] }

In the browser, the resultant view is very similar:

Closing thoughts

The onus of cybersecurity researchers is not only to be able to automate the initial discovery phases, but to do so in a fully-coherent manner in line with any pre-established engagement agreements. Mergers, acquisitions, new partnerships: these are all rigorous indicators that a company’s digital footprint is always bound to expand and contract, bringing along an entire barrage of cybersecurity implications ranging from changes in DNS records to new tools and countermeasures; so the challenges are substantial and ever-increasing.

Whether you’re a beginning bug bounty hunter learning the ropes, or a seasoned red teamer looking for ways to streamline operations, SecurityTrails invites you throughout this Bug Bounty Hunting Month to extend your asset discovery initiatives beyond the techniques you may already be familiar with, by incorporating our API into your processes.

Take this opportunity and sign up for the Bug Bounty Hunting Toolkit now. We guarantee you won’t be disappointed.