Hello Hackers ! Hope everything is fine. Back again with another write up. Hope you will enjoy this…
A company use only a single domain. Multiple domain can be use for internal and external purpose. May be they use different domain for their different product or may be the have a unpublished domain for their limited customer. Could be anything.
Reverse Whois can help you to find those domains. Let’s understand my story. A company runs a private program at HackerOne. I follow this law when I choose a program from HackerOne: “Never go into the Out of Scope but don’t stick only in scope.”
So I started gathering all other domains using reverse whois and found some, they are looks like: company-int.com, corpcompany.com, etc. All of them was redirecting to main domain: company.com.
But Found a domain: com-pany.com was redirecting to www.com-pany.com and further it was going to www.com.pany.com.s3.amazonaws.com. Guess what? Got an “No such bucket” error.
Immediately I takeover that and reported. And got the bounty. So always check for secret domain. Reverse whois is your VIP friend.
I used this website to find that domain: https://viewdns.info/reversewhois/
Thank you for reading. Stay safe and happy hunting…