Pentest Methodology & Recon · beginner · ~11 min
Use DNS, WHOIS, and Certificate Transparency to map a target's footprint passively.
WHOIS reveals ownership and name servers. DNS records (A/MX/NS/TXT/CNAME) map services. Certificate Transparency logs and DNS brute force reveal subdomains — where most attack surface hides.
Subdomain and DNS enumeration uncover the real attack surface (staging, admin, VPN endpoints) that the main site never links to. CT logs make much of this passive and free — high value before any active probing.
WHOIS. Ownership, name servers, dates. Record sweep. A/AAAA, MX, NS, TXT, CNAME via dig/host. Certificate Transparency. Public cert logs expose hostnames/SANs (passive). DNS brute force. Wordlist queries (active). Scope. Found ≠ authorized.
DNS and registration data are the richest passive-recon sources — they map an organisation's footprint without touching its servers.
Registration records for a domain or IP block: registrant org, name servers, creation/expiry dates, sometimes contacts. Tells you who owns what and points at related assets.
Enumerate A/AAAA (hosts), MX (mail), NS (name servers), TXT (SPF, verifications, tech hints), CNAME (aliases). Tools: dig, nslookup, host.
Most attack surface hides in subdomains (dev., vpn., admin., staging.). Find them via:
Discovering a subdomain doesn't put it in scope. Map everything, but only test what your authorization covers.
WHOIS and DNS records reveal ownership and services; Certificate Transparency and DNS brute force surface the hidden subdomains where most attack surface lives. Map widely, but test only what's in scope.