Analysis updated 2026-05-18
Trace a target company's registered domains and shadow domains using ICP filings and historical WHOIS records.
Expand from a main domain to subdomains and IP addresses using tools like Tscan and subfinder.
Search asset mapping platforms such as Hunter, Quake, and FOFA to find edge assets outside a target's main perimeter.
| d0ctorsec/informationcollectionedgeassetsmining | 920linjerry-stack/capital-studio | aahonarmand/neticu | |
|---|---|---|---|
| Stars | 16 | 16 | 16 |
| Language | — | Python | Swift |
| Setup difficulty | moderate | easy | easy |
| Complexity | 3/5 | 3/5 | 2/5 |
| Audience | developer | researcher | general |
Figures from each repo's GitHub metadata at analysis time.
Requires separately installing and configuring third-party recon tools and API keys for the platforms it references.
This repository is a Chinese-language reference guide for asset discovery and reconnaissance during authorized penetration testing engagements. The author assembled it to replace scattered notes and tools with a single, ordered workflow. Most of the text is in Chinese, but tool commands and search syntax appear in English. The guide is structured as a sequential chain. You work through each stage in order, and the outputs from earlier stages feed into later ones. The first stage covers collecting basic information about a target organization: looking up company registration data through equity transparency platforms, finding registered domains through China's ICP filing system (the Ministry of Industry and Information Technology database), tracing historical WHOIS records to find shadow domains the organization may have forgotten, and reverse-searching contact details from WHOIS records to discover additional domain registrations. The second stage expands from the main domain into subdomains and IP addresses. The guide recommends combining automated tools with asset mapping platforms. Tools covered include Tscan (a multi-platform tool that aggregates results from several intelligence platforms at once) and subfinder (an open-source subdomain discovery tool that pulls from sources like Shodan, FOFA, Censys, and GitHub). Asset mapping platforms covered include Hunter, Quake, and FOFA, each with their specific query syntax for domain lookups, ICP registration number searches, and favicon hash searches. The guide notes that certificate wildcard matching can produce false positives that need manual filtering. The document continues through additional stages covering IP range validation, port scanning, web fingerprinting, and identifying edge assets: services that belong to a target organization but sit outside its main perimeter, such as forgotten subdomains, cloud storage buckets, and third-party integrations. The project is described as practical field notes from real pre-sales security assessments, compiled to save time during future engagements. The guide is intended for security professionals performing authorized assessments, not for unauthorized use.
A Chinese-language reference guide walking authorized penetration testers through discovering a target organization's domains, subdomains, and hidden assets.
Setup difficulty is rated moderate, with roughly 1h+ to a first successful run.
Mainly developer.
This repo across BitVibe Labs
Verify against the repo before relying on details.