A tool for inspecting subdomains for IP ownership information
enumerate an OSINT tool which takes a list of domains (like that produced by sublist3r) and producing an sqlite3 database mapping the domains to the first found host IP for that domain and the announced route that the IP belongs to along with ASN and the ASN name.
This is helpful for determining what network services and hosting providers a given organization is using.
go install -v github.com/oholiab/enumerate
You will need the whois binary installed and in your $PATH and sqlite3.
With $GOBIN in your $PATH:
$ enumerate -h
Usage of enumerate:
-db string
path to output database (default "./enumerate.db")
-list string
path to domain list (default "./enumerate.txt")
$ enumerate -list somelist.txt -db domains.db
Then you can query your database using sqlite3 to do further investigatory work, for example:
select name, owner, asn from records
inner join routes on records.route_id = routes.id
where owner != "Amazon";
Will show you all of the domains and which AS name and number they belong to, excluding all IPs owned by Amazon.
This is a pretty dumb tool which will always take the first of multiple records
for any given lookup - so for instance if whois returns multiple route
advertisements, you'll only ever get one.
Additionally, some IP addresses won't resolve using the RADB whois lookup that enumerate uses - domains which resolve to an IP correctly but fail to return whois data will be listed as failed at the end.
Largely though, the point of the tool is enumeration of the ASs for a given domain, so this isn't too much of a problem - treat it as a jumping off point for further investigation.
I've vendored dependencies using dep. With it installed:
git clone https://github.com/oholiab/enumerate
cd enumerate
make deps