Jump to content
Nytro

Subdomain enumeration

By Nytro, in Tutoriale in engleza

Recommended Posts

Nytro Mentor

Nytro

Posted
Posted

Subdomain enumeration

April 21, 2018

A friend recently asked me what methods I use to find subdomains. To be honest I was confused, like “oooohhh so much, brute force mmm… zone transfer and… brute for… wait Google and mmm… many other tools!” What a shame that I was so inaccurate after so much time spent to look for subdomains. Time to dig a little bit! After I wrote a list of the most popular methods, I tried to make a list of some tools and online resources to exploit them. Of course this list is far from exhaustive, there are many new stuff every day, but it’s still a good start :)

Methods

Brute force
The easiest way. Try millions and millions words as subdomains and check which ones are alive with a forward DNS request.

Zone transfer aka AXFR
Zone transfer is a mechanism that administrators can use to replicate DNS databases but sometimes the DNS is not well configured and this operation is allowed by anyone, revealing all subdomains configured.

DNS cache snooping
DNS cache snooping is a specific way to query a DNS server in order to check if a record exists in his cache.

Reverse DNS
Try to find the domain name associated with an IP address, it’s the opposite of Forward DNS.

Alternative names
Once the first round of your recon is finished, apply permutations and transformations (based on another wordlist maybe?) to all subdomains discovered in order to find new ones.

Online DNS tools
There are many websites that allow to query DNS databases and their history.

SSL Certificates
Request informations about all certificates linked to a specific domain, and obtain a list of subdomains covered by these certificates.

Search engines
Search for a specific domain in your favourite search engine then minus the discovered sudomains one by one site:example.com -www -dev

Technical tools/search engines
More and more companies host their code online on public platform, most of the time these services have a search bar.

Text parsing
Parse the HTML code of a website to find new subdomains, this can be applied to every resources of the company, office documents as well.

VHost discovery
Try to find any other subdomain configured on the same web server by brute forcing the Host header.

Tools

Altdns: alternative names brute forcing
Amass: brute force, Google, VirusTotal, alt names
aquatone-discover: Brute force, Riddler, PassiveTotal, Threat Crowd, Google, VirusTotal, Shodan, SSL Certificates, Netcraft, HackerTarget, DNSDB
BiLE-suite: HTML parsing, alt names, reverse DNS
blacksheepwall: AXFR, brute force, reverse DNS, Censys, Yandex, Bing, Shodan, Logontube, SSL Certificates, Virus Total
Bluto: AXFR, netcraft, brute force
brutesubs: enumall, Sublist3r, Altdns
cloudflare_enum: Cloudflare DNS
CTFR: SSL Certificates
DNS-Discovery: brute force
DNS Parallel Prober: DNS resolver
dnscan: AXFR, brute force
dnsrecon: AXFR, brute force, reverse DNS, snoop caching, Google
dnssearch: brute force
domained: Sublist3r, enumall, Knockpy, SubBrute, MassDNS, recon-ng
enumall: recon-ng -> Google, Bing, Baidu, Netcraft, brute force
Fierce: AXFR, brute force, reverse DNS
Knockpy: AXFR, virustotal, brute force
MassDNS: DNS resolver
Second Order: HTML parsing
Sonar: AXFR, brute force
SubBrute: brute force
Sublist3r: Baidu, Yahoo, Google, Bing, Ask, Netcraft, DNSdumpster, VirusTotal, Threat Crowd, SSL Certificates, PassiveDNS
theHarvester: reverse DNS, brute force, Google, Bing, Dogpile, Yahoo, Baidu, Shodan, Exalead
TXDNS: alt names (typo/tld)
vhost-brute: vhost discovery
VHostScan: vhost discovery
virtual-host-discovery: vhost discovery

Online DNS tools

https://hackertarget.com/
http://searchdns.netcraft.com/
https://dnsdumpster.com/
https://www.threatcrowd.org/
https://riddler.io/
https://api.passivetotal.org
https://www.censys.io
https://api.shodan.io
http://www.dnsdb.org/f/
https://www.dnsdb.info/
https://scans.io/
https://findsubdomains.com/
https://securitytrails.com/dns-trails

https://crt.sh/
https://certspotter.com/api/v0/certs?domain=example.com
https://transparencyreport.google.com/https/certificates
https://developers.facebook.com/tools/ct

Search engines

http://www.baidu.com/
http://www.yahoo.com/
http://www.google.com/
http://www.bing.com/
https://www.yandex.ru/
https://www.exalead.com/search/
http://www.dogpile.com/
https://www.zoomeye.org/
https://fofa.so/

Technical tools/search engines

https://github.com/
https://gitlab.com/
https://www.virustotal.com/fr/

DNS cache snooping 

nslookup -norecursive domain.com

nmap -sU -p 53 --script dns-cache-snoop.nse --script-args 'dns-cache-snoop.mode=timed,dns-cache-snoop.domains={domain1,domain2,domain3}' <ip>

Others online resources

https://ask.fm/
http://logontube.com/
http://commoncrawl.org/
http://www.sitedossier.com/

 

Sursa: http://10degres.net/subdomain-enumeration/

  • Upvote 1

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
Go to topic listing
×
×
  • Create New...