Starting with the domain exxonmobil.com, what else can we find that useful using https://host.io and https://ipinfo.io APIs? Let's see...
First, let's check the host.io API for these domains:
$ curl https://host.io/api/full/exxonmobil.com?token=$TOKEN
{
"domain": "exxonmobil.com",
"web": {
"domain": "exxonmobil.com",
"url": "https://corporate.exxonmobil.com/",
"ip": "104.81.189.156",
"date": "2019-10-25T19:31:59.232Z",
"length": 150548,
"encoding": "utf8",
"copyright": "© Copyright 2003-2019 Exxon Mobil Corporation. All Rights Reserved.",
"title": "ExxonMobil",
"description": "ExxonMobil is one of the world’s largest publicly traded international oil and gas company. Learn more at ExxonMobil.com."
},
"dns": {
"domain": "exxonmobil.com",
"a": [
"13.91.49.217",
"52.168.30.50"
],
"mx": [
"10 mail-d.exxonmobil.com.",
"10 mail-h.exxonmobil.com."
],
"ns": [
"pegasus.mobil.com.",
"pegasus2.mobil.com."
]
},
"related": {
"redirects": [
{
"value": "exxonmobil.com",
"count": 170
}
],
"backlinks": [
{
"value": "exxonmobil.com",
"count": 2371
}
],
"ip": [
{
"value": "13.91.49.217",
"count": 26
},
{
"value": "52.168.30.50",
"count": 26
}
],
"asn": [
{
"value": "AS8075",
"count": 828106
}
]
}
}
We can see AS8075 here - let's look that up on IPinfo to see if it's an AS owned by ExonMobil:
$ curl -s ipinfo.io/AS8075/json?token=$TOKEN | jq .name
"Microsoft Corporation"
Doesn't look like it is - so no need to get all domains by ASN. There are 170 domains that redirect to ExxonMobil though - let's look into those:
$ curl "https://host.io/api/domains/redirects/exxonmobil.com?token=$TOKEN"
{
"redirects": "exxonmobil.com",
"total": 170,
"domains": [
"mobiljetoil387.ru",
"exxonmobilbtown.com",
"exxonmobil.com.pk",
"exxonoil.org",
"exxonmobil.com.mx",
"esso.com.ar",
"exxonmobilaviation.biz",
"exxonmobil-nigeria.com.ng",
"avitat.com",
"exxonmobilbeaumont.com",
"growingthegulf.com",
"mobiloil.xn--ses554g",
"exxonmobilaviation.info",
"mobilaviation.com",
"mobiljet-254.com",
"exxonmobiljol.com",
"exxonmobilus.com",
"esso.co.in",
"esso.com.br",
"exxonmobil.cm",
"xn--s8ss21bff38az6bq84cjty.xn--ses554g",
"exxonmobil.com.my",
"exxonmobilmena.com",
"exxonmobilbaytown.com",
"essochad.com"
]
}
We get 25 results by deault. Let's set the limit to 1000 (the max, but we can pass in a page param to get more) to get the full 170:
$ curl "https://host.io/api/domains/redirects/exxonmobil.com?token=$TOKEN&limit=1000"
{
"redirects": "exxonmobil.com",
"total": 170,
"domains": [
"mobiljetoil387.ru",
"exxonmobilbtown.com",
"exxonmobil.com.pk",
"exxonoil.org",
"exxonmobil.com.mx",
"esso.com.ar",
"exxonmobilaviation.biz",
"exxonmobil-nigeria.com.ng",
"avitat.com",
"exxonmobilbeaumont.com",
"growingthegulf.com",
"mobiloil.xn--ses554g",
"exxonmobilaviation.info",
"mobilaviation.com",
"mobiljet-254.com",
"exxonmobiljol.com",
"exxonmobilus.com",
"esso.co.in",
"esso.com.br",
"exxonmobil.cm",
"xn--s8ss21bff38az6bq84cjty.xn--ses554g",
"exxonmobil.com.my",
"exxonmobilmena.com",
"exxonmobilbaytown.com",
"essochad.com",
"exxonmobilhq.com",
"esso.com.ve",
"radarbears.com",
"posto-esso.com.br",
"exxonmobil.gy",
"exxonmobil.my",
"batonrougerefinery.com",
"exxonmobil.com.br",
"exxonmobil.mg",
"keepingyourbusinessmoving.com",
"xn--kgbg1agl5fjgcgvc1a.com",
"esso-nigeria.com",
"exxonmobilportsandservices.com",
"exxonmobilmarinelubes.com",
"polarbearradar.com",
"mobiljet387.com",
"essoexpress.no",
"mobil.jobs",
"exxonmobil.fi",
"exxon.mx",
"exxonelite.com",
"xn--igbiaaacs8cn3nnabjfi5ac1b.com",
"exxon.com.br",
"exxon-mobil.ltd",
"mobilgard410nc.com",
"mobil-nigeria.com",
"exxonng.com",
"xn--kgbecf3avc2c3embim1acg2ah.com",
"growthegulf.com",
"energyliveshere.com.sa",
"xn--74q90n26cirt0oexmumrm.xn--ses554g",
"exxonmobilaviation.com",
"exxonmobilaviationlubes.com",
"exxonmobil.co.nz",
"understanding-energy.com",
"airworld.com",
"xn--s8s271bkuag8a21rkiqwme.xn--ses554g",
"xn--74q90n26c1to28dr2gg31adjj20f.xn--ses554g",
"esso.com.mx",
"essonigeria.com",
"exxonmobilbatonrouge.com",
"mobil-nigeria.com.ng",
"exxonmobil.ie",
"exxonmobil.ca",
"exxonmobilsaudiarabia.com",
"xn--3bsv7hn82bmot.xn--ses554g",
"exxonmobiloil.us",
"exxonnigeria.com",
"exxonmcbil.com",
"batonrougecomplex.com",
"esso-nigeria.com.ng",
"energyliveshere.com",
"exxonnmobil.us",
"exxonmobil.az",
"exxonmobilafrica.com",
"exxonmobil.tw",
"goesso.no",
"exxonmobilperspectives.com",
"kearltransport.net",
"exxonmobil.in",
"exxon-mobile.com.eg",
"exxonmobile.ca",
"xn-----4sdkdi5b1ae4dxfpacjn5adh5ai.com",
"exxonmobilegypt.com",
"esso.com.my",
"exxonmobil.hu",
"exxonmobil.com.ar",
"mobiljetoil.com",
"exxonmobil.kz",
"xn--4gq48lb4ggt4b.xn--ses554g",
"theenergyfactor.com",
"mobiljetoil387.pl",
"mobildieselefficient.com",
"mobiljet2.com",
"mm-exxonmobil.com",
"exxonmobil.com.es",
"exxonmobilbrstory.com",
"energyfactor.com",
"exxonmobil.ro",
"xn--j1agcl2d.xn--80ao21a",
"exxonmobilus.org",
"mobilaviationgrease.com",
"exxonmobil.cz",
"xn---------yiidkwbdcd1liuioh4d8mland3acfhlrm9ddmd2dzab.com",
"letssolvethis.com",
"mobilhyjet.com",
"exxonmobilhq.net",
"mobilshcaware.com",
"exxonmobil.com.sa",
"xn--igbaafkcbc6feofje8b7kjjdwbefjnl7cckc3cub.com",
"esso.com.pl",
"esso-ace.de",
"exxonmobil.jp",
"exxonmobil.us",
"exxonmobiljoliet.com",
"exxonmobilbil.com",
"esso.ie",
"mobildelvacmarine.com",
"wcclngproject.ca",
"exxonmobilaviationlubes.net",
"xn--s8s49yp8d5gv47f.xn--ses554g",
"mobiljetoil387.com",
"exxonaviation.com",
"exxonmobil.vn",
"xn-----4sdcjbadx2ep5qqackgi9ad5b.com",
"exxonmobilbmt.com",
"mobiljetoil387.dk",
"exxonmobilnigeria.com.ng",
"mobiljetoil387.nl",
"exxonmobil.mx",
"essoline.com.br",
"exxonmobil.co.kr",
"exxonbaytown.com",
"exxonmobil-nigeria.com",
"exxonmobil.com.cn",
"exxonmobil.co.tz",
"exxonmobilbaytown.net",
"exxonmobilbillings.com",
"mobiljetoil387.se",
"exxonmmobil.us",
"xn--8pr33ok1f5lm37aj1c459c.xn--ses554g",
"energyquiz.com",
"exxonmobilbr.com",
"esso.com.ng",
"exxon-nigeria.com.ng",
"exxonmobil.com.gt",
"wcclngproject.com",
"xn--fiqs8syudgz1c.xn--ses554g",
"exxonmobilsafety.com",
"exxonmobil.ae",
"exxonmobil.com.eg",
"exxonmobil.com.kz",
"mobilgard.com",
"beaumontrefinery.com",
"exxonmobil.com.ng",
"xn--74q90n26c1to28dwtq1xfokxxpf.xn--ses554g",
"exxonmobiluae.com",
"exxonmobiliraq.com",
"xn-----4sdn0cir1imidgzd5a.com",
"blueoceanenergy.com",
"kearltransport.com",
"aboutnaturalgas.com",
"exxon-nigeria.com",
"exxonmobilcanada.ca",
"exxonmobilmarinefuels.com"
]
}
Let's investigate the MX and NS records, starting with the default limit of 25:
$ curl "https://host.io/api/domains/ns/mobil.com?token=$TOKEN"
{
"ns": "mobil.com",
"total": 1843,
"domains": [
"exxonmobil.com",
"mobiloil.com",
"mobil.com",
"exxon.com",
"exxonmobilchemical.com",
"imperialoil.ca",
"esso.ca",
"esso.com",
"mobilsmiles.co.nz",
"xtoenergy.com",
"speedpass.com",
"essosmiles.com.hk",
"mobil.co.uk",
"esso.de",
"esso.co.uk",
"mobil.com.mx",
"exxonmobilpp.com",
"exxonmobilmarine.com",
"exxonmobil.com.sa",
"exxonmobilchemical.org.cn",
"mobilindustrial.com.pt",
"exxcoredva.info",
"xtoenergyinc.us",
"exxonmobil.com.eg",
"exxonmobilchemical.vg"
]
}
$ curl "https://host.io/api/domains/mx/exxonmobil.com?token=$TOKEN"
{
"mx": "exxonmobil.com",
"total": 23,
"domains": [
"exxonmobil.com",
"imperialoil.ca",
"esso.ca",
"esso.com",
"xtoenergy.com",
"speedpass.com",
"esso.de",
"esso.co.uk",
"em-wipro.com",
"delvac.com.br",
"em-infosys.com",
"syncrude.ca",
"mobil1.com.br",
"syncrude.com",
"exxonmobilsit.com",
"wq1fod.com",
"exxonmobil.fi",
"contactexxonmobil.com",
"em-msph.com",
"esso.no",
"gpterminal.com",
"esso.be",
"esso.nl"
]
}
OK, so a bunch more related domains there. Let's combine them all into a single file. Let's make sure we've got our JQ right first - take the API output and print a single domain per line...
$ curl -s "https://host.io/api/domains/mx/exxonmobil.com?token=$TOKEN" | jq -r '.domains[] | .' | head -n2
exxonmobil.com
imperialoil.ca
Looks good. Let's start with NS records. We know there are 1843 so we'll need to get 2 pages of details:
$ curl -s "https://host.io/api/domains/ns/mobil.com?token=$TOKEN&limit=1000&page=0" | jq -r '.domains[] | .' > ns_domains
$ curl -s "https://host.io/api/domains/ns/mobil.com?token=$TOKEN&limit=1000&page=1" | jq -r '.domains[] | .' >> ns_domains
$ sort -u ns_domains | wc -l
1843
Let's dump the MX records and redirects too, and combined them...
$ curl -s "https://host.io/api/domains/mx/exxonmobil.com?token=$TOKEN" | jq -r '.domains[] | .' > mx_domains
$ curl -s "https://host.io/api/domains/redirects/exxonmobil.com?token=$TOKEN&limit=1000" > redirects
$ cat ns_domains mx_domains redirects | sort -u > exxon_domains
$ wc -l exxon_domains
1875 exxon_domains
$ gist exxon_domains
https://gist.github.com/7017ce69a8259f5cfe63c5e6db011da3
We know that the ASN associated with the DNS records of exxonmobil.com belong to Microsoft, so it's likely that Exxon are hosting their main site on Azure or leasing IP space from Microsoft. Often organizations will do that for their main public facing domains, but host less prominent domains on their own infrastructre. Therefore we can find more information by looking up some of the domains in this list. Let's go with esso.cm:
$ curl https://host.io/api/full/esso.cm?token=$TOKEN
{
"domain": "esso.cm",
"web": {},
"dns": {
"domain": "esso.cm",
"a": [
"158.28.238.12",
"158.35.238.12"
],
"ns": [
"pegasus.mobil.com.",
"pegasus2.mobil.com."
]
},
"related": {
"ip": [
{
"value": "158.28.238.12",
"count": 76
},
{
"value": "158.35.238.12",
"count": 74
}
],
"asn": [
{
"value": "AS1766",
"count": 1546
}
]
}
}
There's no associated website this time, and a different ASN. Let's look up the IP on IPinfo:
$ curl ipinfo.io/158.28.238.12?token=$TOKEN
{
"ip": "158.28.238.12",
"hostname": "esso.com.pt",
"city": "Calgary",
"region": "Alberta",
"country": "CA",
"loc": "50.9278,-113.9682",
"postal": "T2Z",
"timezone": "America/Edmonton",
"asn": {
"asn": "AS1766",
"name": "Exxon Mobil Corporation",
"domain": "exxonmobil.com",
"route": "158.28.238.0/23",
"type": "business"
},
"company": {
"name": "Exxon Mobil Corporation",
"domain": "exxonmobil.com",
"type": "business"
},
"abuse": {
"address": "US, TX, Irving, 5959 Las Colinas Blvd., 75039",
"country": "US",
"email": "gsc-emit-arin@exxonmobil.com",
"name": "Role Account",
"network": "158.28.0.0/16",
"phone": "+1-888-840-4846"
}
}
So it looks like Exxon do have their own ASN (we might also have been able to find this by searching on https://ipinfo.io/countries/us). Let's add all of those to our list of domains and see if there are any new ones:
$ curl -s "https://host.io/api/domains/asn/AS1766?token=$TOKEN&limit=1000&page=0" | jq -r '.domains[] | .' > asn_domains
$ curl -s "https://host.io/api/domains/asn/AS1766?token=$TOKEN&limit=1000&page=1" | jq -r '.domains[] | .' >> asn_domains
$ cat ns_domains mx_domains redirects asn_domains | sort -u > exxon_domains
$ wc -l exxon_domains
1878 exxon_domains
We were at 1875 before, so we only found 3 new domains that were hosted on the ASN but not available through the redirects, MX or NS records. Interesting, let's find out what those 3 are...
$ mv exxon_domains exxon_domains_with_asn
$ cat ns_domains mx_domains redirects | sort -u > exxon_domains_without_asn
$ diff exxon_domains_with_asn exxon_domains_without_asn
482d481
< exxon.gm
1685,1686d1683
< srv1-mobil.ma
< srv2-mobil.ma