The complete subdomain Enumeration Guide
Hello Everyone, as we know Information gathering or sometimes also known as Reconnaissance or simply recon is the first and foremost step of your Pentesting or Bug Hunting Journey.
It is wisely said, “Give me six hours to chop down a tree and I will spend the first four sharpening the axe”.
Enumerating the scope of a program which we will refer to evilcorp.com from now is very important. If you increase the scope the chances are that your success rate in finding critical bugs will increase as subdomains are the ones which are generally not protected by developers or not tested by security researchers.
TL,DR
Enough of talking, Let’s start!
The complete subdomain Enumeration Guide
What is a subdomain? Sub-domain as can be seen in the figure is the a subdivision of a domain.
Eg :- beta.evilcorp.com
The complete subdomain Enumeration Guide
There is something also known as sub-sub domain. Which is basically Vertical Co-relation of Domain and Acquisitions known as Horizontal Domain Co-relation
Vertical Domain Co-relation : all the subdomain of a domain of google.com (maps.google.com) → Any subdomain of a particular base domain
Horizontal Domain Co-relation : Acquisitions of , google.cz, youtube.com, blogger.com → anything that is acquired by Google as entity.
Some of open source Tools available
Subfinder- https://github.com/subfinder/subfinder Amass — https://github.com/caffix/amass Sublister — https://github.com/aboul3la/Sublist3r Aquatone — https://github.com/michenriksen/aquatone Knockpy — https://github.com/guelfoweb/knock
I also like to find the subs manually from crt.sh, censys.io, shodan.io, google certificate transparency, facebook certificate transparency, and even CSP header etc. viewsdns.info , dnsdumpster.com and virustotal.com is also helpful and good source to collect subs.
Youtube : https://youtu.be/McLdm4c1oLs?list=PLIK9nm3mu-S6gCKmlC5CDFhWvbEX9fNW6
Discovering Target Using ASN (IP Blocks)
http://bgp.he.net
https://whois.arin.net/ui/query.do
https://apps.db.ripe.net/db-web-ui/#/fulltextsearch
https://reverse.report/ https://www.shodan.io/searchquery=org%3A%22Facebook%22
https://pentest-tools.com/
https://virustotal.com/
https://www.shodan.io/
https://crt.sh/?q=%25target.com
https://dnsdumpster.com/
https://censys.io
http://dnsgoodies.com
Brand Discovery Acquisitions
Time to increase the scope with parent and child organisations, or acquisitions by the main company.
- https://www.crunchbase.com/search/acquisitions
Trademark In Google: ” “Facebook Inc © 2020” “Facebook Inc © 2019” “Facebook Inc © 2018” inurl:facebook
3. Reverse whois. (my favorite)
Brand Discovery Acquisitions
Let’s start by checking the whois result of facebook.com
Brand Discovery Acquisitions
As you can notice the Tech Organisation is Facebook, Inc Tech Email — domain@fb.com
1. Viewdns.info
2. https://github.com/vysecurity/DomLink
3. WhoisXMLAPI (my favourite)
Brand Discovery Acquisitions
Brand Discovery Acquisitions
Limited Results with viewdns.info
Brand Discovery Acquisitions
3441Results with https://tools.whoisxmlapi.com/
Subdomain using some more ways
- RAPID7 SONAR: curl -silent https://scans.io/data/rapid7/sonar.fdns_v2/20170417-json.gz | pigz -dc | grep “.icann.org” | jq
• DNSRECON: python dnsrecon.py -n ns1.insecuredns.com -d insecuredns.com -D subdomains-top1mil-5000.txt -t brt
• ALTDNS: python altdns.py -i icann.domains -o data_output -w icann.words -r -s results_output.txt
Subdomain using some more ways
- DIG:
dig +multi AXFR @ns1.insecuredns.com insecuredns.com
•DNSSEC:
dig +multi +dnssec A paypal.com dig +dnssec @ns1.insecuredns.com firewall.insecuredns.com
• Zone walking NSEC — LDNS
root@rohit:~ ldns-walk @name_server domain_name
Subdomain using some more ways
- ZONE WALKING NSEC DIG: You can list all the sub-domains by following the linked list of NSEC records of existing domains.
$ dig +short NSEC api.tesla.com $ dig +short NSEC apm.tesla.com
• MASSDNS: root@rohit:~./bin/massdns -r resolvers.txt -t AAAA -w results.txt domains.txt
Subdomain using some more ways
- FIND DOMAIN: $ wget https://github.com/Edu4rdSHL/findomain/releases/latest/download/findomain-linux $ chmod +x findomain-linux $ findomain -t example.com
ASSET FINDER: Find domains and subdomains potentially related to a given domain. root@rohit:~git clone https://github.com/tomnomnom/assetfinder
• ASSETS FROM SPF : https://github.com/0xbharath/assets-from-spf/
Subdomain using some more ways
Get ASN Number: Autonomous System Number (ASN) -> http://bgp.he.net -> check for example tesla.com and checkin Prefixes V4 to get the IP range
$ curl -s http://ip-api.com/json/192.30.253.113 | jq -r .as
AS36459 GitHub, Inc.
$ whois -h whois.radb.net — ‘-i origin AS36459’ | grep -Eo “([0–9.]+){4}/[0–9]+” | uniq
- NMAP : Find domains and subdomains potentially Using ASN $ nmap — script targets-asn — script-args targets-asn.asn=17012 > paypal.txt
Subdomain using some more ways
- CERTSPOTTER: Based on certificate enumeration. https://certspotter.com/api/v0/certs?domain=hackerone.com
Quick Script :- find-cert() { curl -s https://certspotter.com/api/v0/certs?domain=$1 | jq -c ‘.[].dns_names’ | grep -o ‘“[^”\+”’; }
- SUBLERT: This tool which leverages certificate transparency to automatically monitor new subdomains deployed by specific organizations and issued TLS/SSL certificate
Subdomain using some more ways
- Wayback Enumeration → waybackurl
python waybackurls.py — help
./waybackunifier — help
• archive.org
Subdomain using JS files
- Parsing JavaScript : Parsing JS is very useful to find the directories which is used by the target. We can use it instead of brute-forcing subs. • Jsparser Run handler.py and then visit http://localhost:8008 python linkfinder.py -i https://example.com/1.js-o results.html
Subdomain using Github
Github Recon to find juicy subs about the target
• Gitrob ./gitrob google To see the result go to browser and type localhost:9393
• Trufflehog trufflehog https://github.com/SeppPenner/postgres.git
• Manual : https://github.com/techgaun/github-dorks https://github.com/techgaun/github-dorks/blob/master/github-dorks.txt
About Me
- Ethical Hacker & Cyber Security Consultant
- Founder of Hacktify Cyber Security (www.hacktify.in)
- Author of Website Pentesting & Bug Bounty Hunting Course on Udemy :- https://www.udemy.com/course/website-hackingpenetration-testing-bug-bounty-hunting-live-attacks/?referralCode=DD93379953A1FC8EC312
Rohit Gautam
Linkedin: @iamrohitg
Email — thesrsecure@gmail[dot]com
References :
• Jason Haddix — Shot the Web, Bug Hunters Methodology
• Twitter — @zseano @hackerone @stokfredrik @bugcrowd @intigriti
• #bugbountytips #infosecwriteups #bugbountytricks
• Extensively from Tweets, Write ups, Blogs, Github and Internet
• A lot of Contributors of InfoSec Community
🧑🏻🏫 💥Stay Tuned and follow us for more:💥🧑🏻🏫
🧑🏻💻 Cyber Security School : https://learn.hacktify.in
🔗 Udemy: https://www.udemy.com/user/rohit-gautam-38/
🧑🏻🏫 Live Trainings: https://hacktify.in/#live_training-slider
🔐Github: https://github.com/shifa123
📌 Youtube : https://www.youtube.com/channel/UCS82DNnKOhXHcGKxGzQvNSQ
💬 Linkedin: https://www.linkedin.com/company/hacktifycs