Here are some ways to gather domains belonging to a particular target.
- Crawl the site and grep for URLs;
- Search through various Internet archives;
- Look up the target's IP ranges;
- Check the CSP header and other similar headers for trusted domains,
some of these might belong to the target;
- Services such as https://www.crunchbase.com/ list out various brands
and projects that belong to a specific company;
- Check DNS records, they often list other domains that belong to the
- SAN certificates can contain a nice collection of domains belonging
to the same company;
- Sieve through Git(Hub|Lab) to find references of other domains;
- Check rapid7's FDNS dataset for domains;
- The builtwith browser extension shows related domains;
- Do a reverse WHOIS lookup and look for domains registered under the
same email address.
I am sure there are plenty of further ways of finding more assets,
so please feel free to expand the list in response to this email.
P.S.: Remember to always remain in scope while testing though. ;)