How to find wildcard bug bounty assets owned by a company.

In this article I will explain how to hunt down domains owned by a company with a different name.

It sounds confusing but for example, I will use the NFL vdp program on bugcrowd, in the scope it says

Obviously you will have the domains like *.nfl.com but what about hosts owned by NFL enterprises that might be under a different domain name? That is what I will be teaching you in this article.

Start with the official NFL website (nfl.com) and look for any links or references to other sites. Many organizations list their related properties in the footer or within a section dedicated to their media properties.

WHOIS lookup services can help identify the owner of a domain. You can use a WHOIS lookup tool to check the registration details of domains and see if they are owned by the NFL. Some popular WHOIS lookup tools include:

This is already an obvious statement, subdomains are almost always the best way to find vulnerable web apps, you can check out my recon script here on github; https://github.com/tom-who/BPP-tools/

You can install the necessary tools to go with it by using go install ‘link’

A reverse IP lookup can help you find other domains hosted on the same server as nfl.com. This may give clues to other websites owned by the NFL. Some tools for reverse IP lookup include:

Often, companies announce new website launches or acquisitions in press releases or news articles. Search for news related to the NFL and its digital properties. Use search engines and news websites to find such information.

Companies often disclose their web properties in their annual reports, SEC filings, or other corporate documents. You can review these documents on the NFL’s official site or financial sites like:

There are specialized online tools and databases that provide information on company ownership and related web properties. Some of these include:

Social media platforms like LinkedIn, Twitter, and Facebook can provide information about the NFL’s digital assets. Companies often list their websites in their social media profiles.

After these steps you can find alot of companies owned by the NFL for example. This is already good enough but you can take it a step farther.

I have found a couple online resources where you can find other companies with just one API request;

*Disclaimer: Im not sure if this 100% accurate, so take this with a grain of salt if your going to report bugs on these domains*

Here is a one liner you can save if you like, to collect the business names and ASN’s.

For example lets look at the reply from “https://api.bgpview.io/search?query_term=netflix”

You can find ASN numbers, which is an Autonomous System Number, which contain network information; defines a group of one or more IP prefixes run by one or more network operators that maintain a single, clearly-defined routing policy

We can use amass to use the ASN number we found belonging to netflix from the previous query

And with that you should know a lot more recon.

I hope this helps you on your recon journey,

Happy Hacking!