The complete subdomain Enumeration Guide

Hello Everyone, as we know Information gathering or sometimes also known as Reconnaissance or simply recon is the first and foremost step of your Pentesting or Bug Hunting Journey.

It is wisely said, “Give me six hours to chop down a tree and I will spend the first four sharpening the axe”.

Enumerating the scope of a program which we will refer to evilcorp.com from now is very important. If you increase the scope the chances are that your success rate in finding critical bugs will increase as subdomains are the ones which are generally not protected by developers or not tested by security researchers.

TL,DR

Enough of talking, Let’s start!

The complete subdomain Enumeration Guide

What is a subdomain? Sub-domain as can be seen in the figure is the a subdivision of a domain.

Eg :- beta.evilcorp.com

The complete subdomain Enumeration Guide

There is something also known as sub-sub domain. Which is basically Vertical Co-relation of Domain and Acquisitions known as Horizontal Domain Co-relation

Vertical Domain Co-relation : all the subdomain of a domain of google.com (maps.google.com) → Any subdomain of a particular base domain

Horizontal Domain Co-relation : Acquisitions of , google.cz, youtube.com, blogger.com → anything that is acquired by Google as entity.

Some of open source Tools available

Subfinder- https://github.com/subfinder/subfinder Amass — https://github.com/caffix/amass Sublister — https://github.com/aboul3la/Sublist3r Aquatone — https://github.com/michenriksen/aquatone Knockpy — https://github.com/guelfoweb/knock

I also like to find the subs manually from crt.sh, censys.io, shodan.io, google certificate transparency, facebook certificate transparency, and even CSP header etc. viewsdns.info , dnsdumpster.com and virustotal.com is also helpful and good source to collect subs.

Youtube : https://youtu.be/McLdm4c1oLs?list=PLIK9nm3mu-S6gCKmlC5CDFhWvbEX9fNW6

Discovering Target Using ASN (IP Blocks)

http://bgp.he.net
https://whois.arin.net/ui/query.do
https://apps.db.ripe.net/db-web-ui/#/fulltextsearch
https://reverse.report/ https://www.shodan.io/searchquery=org%3A%22Facebook%22
https://pentest-tools.com/
https://virustotal.com/
https://www.shodan.io/
https://crt.sh/?q=%25target.com
https://dnsdumpster.com/
https://censys.io
http://dnsgoodies.com

Brand Discovery Acquisitions

Time to increase the scope with parent and child organisations, or acquisitions by the main company.

1. https://www.crunchbase.com/search/acquisitions
   Trademark In Google: ” “Facebook Inc © 2020” “Facebook Inc © 2019” “Facebook Inc © 2018” inurl:facebook
   3. Reverse whois. (my favorite)

Brand Discovery Acquisitions

Let’s start by checking the whois result of facebook.com

Brand Discovery Acquisitions

As you can notice the Tech Organisation is Facebook, Inc Tech Email — domain@fb.com
1. Viewdns.info
2. https://github.com/vysecurity/DomLink
3. WhoisXMLAPI (my favourite)

Brand Discovery Acquisitions

Brand Discovery Acquisitions

Limited Results with viewdns.info

Brand Discovery Acquisitions

3441Results with https://tools.whoisxmlapi.com/

Subdomain using some more ways

• RAPID7 SONAR: curl -silent https://scans.io/data/rapid7/sonar.fdns_v2/20170417-json.gz | pigz -dc | grep “.icann.org” | jq
  • DNSRECON: python dnsrecon.py -n ns1.insecuredns.com -d insecuredns.com -D subdomains-top1mil-5000.txt -t brt
  • ALTDNS: python altdns.py -i icann.domains -o data_output -w icann.words -r -s results_output.txt

Subdomain using some more ways

• DIG:
  dig +multi AXFR @ns1.insecuredns.com insecuredns.com
  •DNSSEC:
  dig +multi +dnssec A paypal.com dig +dnssec @ns1.insecuredns.com firewall.insecuredns.com
  • Zone walking NSEC — LDNS
  root@rohit:~ ldns-walk @name_server domain_name

Subdomain using some more ways

• ZONE WALKING NSEC DIG: You can list all the sub-domains by following the linked list of NSEC records of existing domains.
  $ dig +short NSEC api.tesla.com $ dig +short NSEC apm.tesla.com
  • MASSDNS: root@rohit:~./bin/massdns -r resolvers.txt -t AAAA -w results.txt domains.txt

Subdomain using some more ways

• FIND DOMAIN: $ wget https://github.com/Edu4rdSHL/findomain/releases/latest/download/findomain-linux $ chmod +x findomain-linux $ findomain -t example.com
  ASSET FINDER: Find domains and subdomains potentially related to a given domain. root@rohit:~git clone https://github.com/tomnomnom/assetfinder
  • ASSETS FROM SPF : https://github.com/0xbharath/assets-from-spf/

Subdomain using some more ways

Get ASN Number: Autonomous System Number (ASN) -> http://bgp.he.net -> check for example tesla.com and checkin Prefixes V4 to get the IP range

$ curl -s http://ip-api.com/json/192.30.253.113 | jq -r .as

AS36459 GitHub, Inc.
$ whois -h whois.radb.net — ‘-i origin AS36459’ | grep -Eo “([0–9.]+){4}/[0–9]+” | uniq

• NMAP : Find domains and subdomains potentially Using ASN $ nmap — script targets-asn — script-args targets-asn.asn=17012 > paypal.txt

Subdomain using some more ways

• CERTSPOTTER: Based on certificate enumeration. https://certspotter.com/api/v0/certs?domain=hackerone.com

Quick Script :- find-cert() { curl -s https://certspotter.com/api/v0/certs?domain=$1 | jq -c ‘.[].dns_names’ | grep -o ‘“[^”\+”’; }

• SUBLERT: This tool which leverages certificate transparency to automatically monitor new subdomains deployed by specific organizations and issued TLS/SSL certificate

Subdomain using some more ways

• Wayback Enumeration → waybackurl
  python waybackurls.py — help
  ./waybackunifier — help
  • archive.org

Subdomain using JS files

• Parsing JavaScript : Parsing JS is very useful to find the directories which is used by the target. We can use it instead of brute-forcing subs. • Jsparser Run handler.py and then visit http://localhost:8008 python linkfinder.py -i https://example.com/1.js-o results.html

Subdomain using Github

Github Recon to find juicy subs about the target
• Gitrob ./gitrob google To see the result go to browser and type localhost:9393
• Trufflehog trufflehog https://github.com/SeppPenner/postgres.git
• Manual : https://github.com/techgaun/github-dorks https://github.com/techgaun/github-dorks/blob/master/github-dorks.txt

About Me

• Ethical Hacker & Cyber Security Consultant
• Founder of Hacktify Cyber Security (www.hacktify.in)
• Author of Website Pentesting & Bug Bounty Hunting Course on Udemy :- https://www.udemy.com/course/website-hackingpenetration-testing-bug-bounty-hunting-live-attacks/?referralCode=DD93379953A1FC8EC312

Rohit Gautam

Linkedin: @iamrohitg
Email — thesrsecure@gmail[dot]com

References :
• Jason Haddix — Shot the Web, Bug Hunters Methodology
• Twitter — @zseano @hackerone @stokfredrik @bugcrowd @intigriti
• #bugbountytips #infosecwriteups #bugbountytricks
• Extensively from Tweets, Write ups, Blogs, Github and Internet
• A lot of Contributors of InfoSec Community

🧑🏻‍🏫 💥Stay Tuned and follow us for more:💥🧑🏻‍🏫

🧑🏻‍💻 Cyber Security School : https://learn.hacktify.in
🔗 Udemy: https://www.udemy.com/user/rohit-gautam-38/
🧑🏻‍🏫 Live Trainings: https://hacktify.in/#live_training-slider
🔐Github: https://github.com/shifa123
📌 Youtube : https://www.youtube.com/channel/UCS82DNnKOhXHcGKxGzQvNSQ
💬 Linkedin: https://www.linkedin.com/company/hacktifycs