One thing I like to do is track domain names and url’s that product vendors hard coded in their products. Over the years I have purchased dozens of domain names that large companies had used to check on firmware status, update checkers, etc. When newer products come out, eventually the old domain names are not renewed.

I like the ones that were hard coded into firmware on NIC’s for example. There are a number of domains (most I don’t own, a few I do) that are still active, listening for beacons/pings from thousands of NIC’s still in use around the globe. I know, because they are beaconing to one of the domains I own.

It’s interesting to note, that most companies have ok to decent inbound security and filtering, but quite a lot of organizations actually hard code some of these domain names into their rules to explicitly allow outbound initiated comms.

I know of a few Storage Area Network (SAN) appliances from major firms that have hard coded “call home” functionality for example, going to domain names they don’t own any more.