Collect Subdomains by AS Numbers - ProgrammerTech


Collect Subdomains by AS Numbers

  • Share this:
Collect Subdomains by AS Numbers

Before you start to see what a subdomain is we have to know what a domain is basically, websites of all types need a domain name so that visitors can easily know the site but in reality there is no connection at the domain level, you can connect to the server address directly, in other words, Domain replaces IP so that visitors can connect to the site easily, it will be difficult to remember the IP address, but it will be easier to remember the domain

For example, phone contacts when you call someone from the contacts and that person's name is Jack. We call this name on the number registered on the phone, which means that this name refers to this number so that it is easy to remember the contact number for this name. This is what the domain does by setting it as a name pointing to the IP.

What does subdomain mean?


Subdomains, which are added to your domain name to help navigate and organize sections of your website. They are primarily used to manage site domains that are large enough to require their own hierarchy, such as online stores, blogs, or support platforms. While many consider “WWW” to be a default part of any domain name, these three characters are just like any other subdomain of the Domain Name System protocol.


Take a look at the image below to visualize the position of the URL subdomains and how they compare to the other parts:  // Subdomain // Domain
The subdomain as in the picture is support from the main programmer-tech

subdomain collection?

As a penetration tester, you are often given one domain or a group of domains when you start a security assessment. You will have to do a thorough survey to find interesting assets such as servers, web applications, and domains belonging to the target organization so that you can increase your chances of finding vulnerabilities. Collecting subdomains is an essential part of the information gathering stage. The blog post covers a range of techniques and strategies for bringing together the various subdomains. Collect subdomains is the process of searching for a subdomain of one or more domains. It is an essential part of the information gathering stage.

Why is subdomain collection important?

Subdomain aggregation can reveal many domains or subdomains that fall within the scope of a security assessment which in turn increases the chances of vulnerabilities being discovered, Often the same vulnerabilities tend to appear across different domains or applications of the same organization. It is important to have unique OSINT methods of collection in order to collect as many unique subdomains, as this gives you a higher chance of finding vulnerabilities.

Subdomain collection tactics

There is a set of tools and strategies that can be used to group subdomains in proportion to the tools. This is not as important as the strategies in the end. These strategic tools are being implemented. The strategies differ from one penetration lab engineer to another. The more unique strategies a penetration tester has, the greater the chance of finding vulnerabilities within the organization. Therefore, as a penetration testing engineer, you must study the unique methods of OSINT. Below is a set of tools and strategies that will be used in the coming period.

ASN (dnsx)

Google Dorking / Search Engines Shodan, Censys

Passive (amass, github-subdomains)

Brute Force (puredns)

Certificate transparency (crtsh)

Zone-Transfer (dig)

Inline and External JS (SubDomainizer)

Resolve All Domains (massdns, puredns, dnsvaildator)

Root Sub-Domains
In the first article on subdomains, we will explain the first technique, AS Numbers, then Reverse Lookup, to find subdomains.

What is AS Number

It is a number that indicates the customer networks of the ISP. In other words, you know what BGP connections are inside your ISP. Customer networks. Each customer has a number that is distinct from the other. This number is known by the ISP of all customer networks. Let's explain it more scientifically. Each ISP buys a set of IP addresses and an ASN number from IANA. A unique set of IP addresses, number, and. It helps to distinguish between the network and other networks. In order for BGP to connect to multiple networks, an ASN and an internally independent system (AS) are needed.

What is a reverse lookup

This term refers to opposite operations in other words I can convert range to IP and I can convert IP to range Sometimes we will have a set of addresses (IPS) belonging to a particular company, and we need to convert those addresses into ranges, for the purpose of knowing if there are applications running on IPS This is the opposite if there is a set of domains that we want to convert to IPS for the purpose of scanning at the network level and discovering Ports and programs running on those Ports, and whether they suffer from security holes or not.

The lookup site for AS Numbers is

As we can see in the search box, we put the main domain name, we have more than one box like DSN information about the name and records. In the IP info box, we find several IP address CIDRs with ASN ranges.



What is the difference between CIDR and ASN.

CIDR is a network IP address range of the organization ( and this is one form of CIDR and here ASN can include a total of CIDR and an organization can have more than one ASN for me depending on the strength of the company

Collect ASN by Whois

whois is a query and response protocol widely used to query databases that store registered or assigned users of an Internet resource, such as a domain name, IP address, or System Autonomous System (ASN), but is also used for a broader range of other information: the protocol stores and presents content in The database is in a human-readable format.

Some tools can be used to fetch one or all (ASN) of a particular company, such as whois plus dig. In short, this uses a whois service to fetch the ASN and then uses dig to pass the scope to the target company and this will be the output.

whois -h $(dig +short

After you have figured out the ASN and what are the ways and strategies to collect the ASN from a particular company, the Subdomain collection stage now comes in addition to the reverse research. Now we have to collect a certain IPS number and then convert the IPs to subdomains.

whois -h -- '-i origin AS36647'| grep -Eo "([0-9.]+){4}/[0-9]+" | uniq | dnsx -ptr -resp-only


whois -h
A query protocol was used in one of its databases to look up the target ASN and then give it that we want this ASN
grep -Eo "([0-9.]+){4}/[0-9]
Here we have filtered at the ipv4 level to not extract anything else
mapcidr -silent
We used this to include each CIDR target ASN
dnsx -ptr -resp-only
We used that tool to convert ip to doamin


The results can be found more according to IP Address Rang