Skip to content

Horizontal/Vertical Domain Enumeration

Zone Files

Official Sources:

Commercial Sources:

Community Sources:

Domains Repository

Web Crawl Data

Parsing Petabytes of Common Crawl Data

Microsoft Exchange Autodiscover

The following example shows the traditional autodiscover approach (now limited):

DOMAIN="example.com"  # Replace with target domain
curl -X POST "https://autodiscover-s.outlook.com/autodiscover/autodiscover.svc" \
-H "Content-Type: text/xml; charset=utf-8" \
-H "User-Agent: AutodiscoverClient" \
-H "Accept-Encoding: identity" \
-H "SOAPAction: \"http://schemas.microsoft.com/exchange/2010/Autodiscover/Autodiscover/GetFederationInformation\"" \
--data-binary @- <<EOF | xmllint --format -
<soap:Envelope xmlns:exm="http://schemas.microsoft.com/exchange/services/2006/messages"
               xmlns:ext="http://schemas.microsoft.com/exchange/services/2006/types"
               xmlns:a="http://www.w3.org/2005/08/addressing"
               xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/"
               xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
               xmlns:xsd="http://www.w3.org/2001/XMLSchema">
  <soap:Header>
    <a:Action xmlns:a="http://www.w3.org/2005/08/addressing" soap:mustUnderstand="1">http://schemas.microsoft.com/exchange/2010/Autodiscover/Autodiscover/GetFederationInformation</a:Action>
    <a:To soap:mustUnderstand="1">https://autodiscover-s.outlook.com/autodiscover/autodiscover.svc</a:To>
  </soap:Header>
  <soap:Body>
    <GetFederationInformationRequestMessage xmlns="http://schemas.microsoft.com/exchange/2010/Autodiscover">
      <Request><Domain>$DOMAIN</Domain></Request>
    </GetFederationInformationRequestMessage>
  </soap:Body>
</soap:Envelope>
EOF

Shared Nameserver Enumeration

WHOIS Information Correlation

Shared Favicon Analysis

Shared HTTP Site Content

Service Information with Domain Correlation

Shared Analytics Tracking Codes