5 min reading
Mon Sep 06 2021

How to get a view on your digital footprint?


Last week I wrote an introduction on what your digital footprint is and why it matters.

But how do you generate that view? While there are a lot of different takes and approaches on this question, I'll provide you with resources to get you started. Each step below will provide you with some new information on your digital footprint and can be used to go to the next step, or iterate back to previous steps to further expand the data. Over time you'll create your own approach and methodology on mapping your company's digital footprint.

Step 1: List your domains

It all starts with having an overview of your domains, like company.com, company.org, etc... Usually all this information can be easily extracted from your DNS. In some cases your domains might be managed completely outside your zone of control (yikes!), and you'll have to request the A or AAAA records from the party, or parties, managing your domains. If you do, do request to have an overview of all associated IP addresses and other DNS records as well, like CNAME and PTR (other domains and subdomains), MX (mail servers), NS (nameserver records, which may provide links to other DNS's containing your information), etc... You might have to iterate over different nameservers to get a complete picture of your domains.

If for some reason you do not have access to your DNS there are some simple tools that might help you like dig, host, DNSEnum, dnsmap, and AMASS. And when you really want to find all domains; you can scrape the TLD's (Top Level Domains) and their databases to find all existing domains containing your company's name for example. If you're lucky (or unlucky?), you might even uncover active phishing domains.

Step 2: List your subdomains

Next step is to start enumerating your subdomains. This is quite easy if you received a full output of your DNS. If not, but you do have a list of all your domains handy, your subdomains can be enumerated with some readily available tools like AMASS, subfinder, cert.sh, massdns, altdns, etc ...   More details on these techniques are described in this blogpost.  The list of subdomains will help you to understand the extent of your digital footprint, and get a view of all your websites and applications (given that there is one active on the subdomain).

Step 3; List your IP addresses

Not everything on the internet is linked to a (sub)domain, or contains a web application. Think about your email servers, VPN, access for third parties, etc...

When you have extracted the information from your DNS you will also have gathered a lot of IP addresses. Go ahead and search for them into WHOIS databases and, depending on where in the world your IP addresses are issued; RIPE, APNIC, ARIN, LACNIC, or AFRINIC.

Through these resources you'll be able to determine to which IP Range, and owner, the IP addresses belong. This will provide you with the insight whether it belongs to your organisation, a hosting provider, or other. Next to this, your IP address will be part of a range of IP addresses. It warrants the effort to extend your digital footprint mapping to these IP addresses as well to determine if they contain resources belonging to your organisation as well (especially when the IP range is hosted with third parties).

Step 4; Expand to your third parties

You've reached a point where you have a good view on which domains, subdomains, and IP addresses are hosted by your organisation and which are hosted by third parties. You can start mapping these items to those third parties. In a next step, assign contact persons to those external companies. In case you discover something requiring rectification you immediately know who to contact. Don't have this information? Have a chat with your colleagues in procurement, HR, or sales and marketing, chances are they set up a website without informing the IT department.

Step 5; Enumerate your assets, list your services, and get a rough idea on the risks

Using a portscanner such as NMAP will also enumerate all services running on these IP addresses. It will allow you to quickly find web applications but also whether it is running an email server, DNS, FTP, or maybe even some unauthorized services (RDP, VNC, Telnet, ...). Take care to only portscan IP addresses belonging to your organisation.

Next, the Eyewitness tool can help to determine which subdomains contain an active website, and even create a screenshot for a quick look without having to manually type these in your browser. This provides direct and invaluable information on what is actually hosted on that (sub)domain.

Free versions of Qualys or Tenable Nessus, or the open source tool Greenbone Vulnerability Management (previously OpenVAS) can start generating a list of known vulnerabilities on all the IP addresses, domains, and subdomains you previously researched. Using this list you can quickly start remediating outdated systems and systems with critical vulnerabilities out on the open, remember, these are exposed assets after all!

Finally, with the free to use Qualys SSLabs you can generate a risk based view on all your SSL certificates. Do they contain weak ciphers? Do they use deprecated cryptographic protocols? Will they expire soon?

Step 6; Iterate

During each step above you'll likely encounter new IP addresses, domains, or subdomains. Each time it is recommended to iterate over the previous steps as you might find even more information. For example, the output of your certificates might yield more subdomains, or the IP range of a certain asset contains company branded websites you didn't even find a DNS entry for. Or what about DNS entries pointing to an IP address that has been reassigned to another company altogether ...?


It takes quite some effort, and a collection of tools, to generate an overview of your digital footprint. But it can be very worthwhile as it can uncover issues you didn't even know about. Websites you thought no longer existed, domains assigned to IP addresses owned by other parties, or even a list of vulnerabilities exposing you to some potential intruders you'd rather keep out. Be sure to repeat this process every so often since your digital footprint is constantly changing!

Jimmy pommerenke Ceeyu

Jimmy Pommerenke


Jimmy is the founder, CEO and CTO of Ceeyu. Prior to founding Ceeyu, Jimmy was responsible for cybersecurity programs at large financial institutions and consulting company EY. Jimmy started his career as a security engineer. His duties included installing and managing firewalls, scanning infrastructure for vulnerabilities, and performing pen testing and ethical hacking.

Other Blogposts

Ceeyu UI

NIS2: Essential entities vs Important entities, what’s the difference?

The impact of NIS2 for essential and important entities is not much different when it comes to implementing controls to comply, as they are ...

December 11, 2023


The EU DORA regulation and third party risk

With the DORA regulation that the EU aims to strengthen the IT security of financial services and industries. This means banks, insurance co...

July 17, 2022


How to manage the third party risks posed by your critical suppliers

This blog post walks you through some ideas on how to navigate the complex web of third-party risks, focusing on critical suppliers.

June 27, 2022