Information Gathering - Asset Scanning


Asset scanning includes the following contents: scanning subdomains and scanning C segments and adjacent sites.

Adjacent sites: Different sites on the same server.
C segment: Different servers on the same network segment.

Scanning Subdomains#

Classic Search Engines#

As I mentioned in the previous article, you can directly use


However, as seen in the figure, larger enterprises have hundreds or thousands of subdomains, and it is exhausting to collect subdomains using search engines.

This method is only effective for small websites, so subdomain query tools and websites have been derived (but most of them are essentially "lucky" guesses using dictionaries).

Domain Registrant Reverse Lookup#

Generally, large enterprises use corporate email addresses to register large numbers of second-level domains, so we can directly use corporate email reverse lookup.

Use 站长whois for query:



You can also use Yunxi Asset Scanning to scan the basic information of the website before performing a whois reverse lookup:



You can also check the filing information of the website before performing a whois reverse lookup:

ICP filing number query

Public network security information query

Online Query Websites#

Online subdomain query by


Online subdomain query by zichengjun:


In addition, I experienced a subdomain scanning website developed by a certain (CYWL.TEAM remember to delete later) team.

  • Registration requires a numeric QQ email address.
  • Follow the WeChat public account to obtain the registration code.
  • New accounts have 6 points, and each website scan consumes one point. After using up, you need to purchase with RMB, 1 RMB for one point.



Several Subdomain Scanning Tools and Scripts#

Layer Subdomain Miner#

A subdomain miner written by seay using c#.

Another tool written by seay, Seay Source Code Audit System, is also very powerful. If we talk about code auditing later, we will also mention this tool, but this blogger's blog is currently not accessible...

The Layer Subdomain Miner can only find the download address of version 4.2 on the Internet:



A subdomain collection tool written by lijiejie. The last update was on 2019-05-19. GitHub address

The downloaded source code is a python file, and the environment is Python2, which requires the installation of a package:

pip install dnspython gevent

The usage tutorial is as follows:



I believe the above tools are enough for our use. There are several other domain scanning tools that will not be tested one by one:

Scanning C Segments/Adjacent Sites#

Online Scanning Websites# also scans C segments/adjacent sites in addition to subdomains:

Query adjacent sites:


Query C segments:


Website of 0x4i:

Query adjacent sites:


Query C segments:


Scanning Tools#

IIS PUT Scanner#

Scanned together with online scanning websites, the effect seems not ideal:



Produced by K8Team, as of writing this article, the last update time of this tool is 2019-05-06.

Detailed introduction:

This tool can be used with plugins:

Plugin tutorial:

Plugin 9: Weblogic vulnerability scanning & GetShell Exploit

Plugin 8: K8Cscan plugin for Cisco devices scanning

Plugin 7: K8Cscan plugin for detecting various operating system versions using multiple methods

Plugin 6: K8Cscan plugin for Wmi brute-forcing Windows passwords

Plugin 5: K8Cscan plugin for Mysql password brute-forcing

Plugin 4: K8Cscan plugin for FTP password brute-forcing
Plugin 3: K8Cscan plugin for scanning adjacent sites in C segments and subdomains

Plugin 2: Call DLL written in c# to scan the banner and title of intranet WEB hosts
DLL source code:
Compiled version:

Plugin 1: Configure Cscan.ini to call an external program S scanner to scan open ports of C segment hosts
Configure Cscan.ini
arg=TCP $ip$ 21,80,3306,3389,1521

Execute cscan on the command line

There are too many methods, I will learn and sell them later when I need them.

K8Cscan download address:

Decompression password: k8gege


This section only briefly introduces the host resolution part of nmap. For a detailed introduction to nmap, please refer to the article on port scanning.

The main parameters for host discovery in nmap are as follows:

-Pn Treat all specified hosts as online, skip host discovery
-PS TCP SYN ping, sends an empty TCP packet with the SYN flag set, default port is 80, can also specify the port
-PA TCP ACK ping, sends an empty TCP packet with the ACK flag set, default port is 80, can also specify the port
-PU UDP ping, sends an empty UDP packet to the specified port, can penetrate firewalls that only filter TCP
-PR Use ARP ping

The -Px used for scanning hosts and the -sx used for scanning ports are basically the same:

Here we want to achieve the fastest and most comprehensive scanning of all live hosts in the specified C segment without scanning ports:

nmap -v -sn -Pn -PS -n



Reference articles:

End of this article.

Ownership of this post data is guaranteed by blockchain and smart contracts to the creator alone.