Subdomains enumeration

Theory

When conducting penetration tests on a website, or on a *.domain.com scope, finding subdomains of the target can help widen the attack surface. There are many different techniques to find subdomains that can be divided in two main categories.

Practice

Passive enumeration

Passive enumeration is the process of collecting information about a specific target from publicly available sources that can be accessed by anyone. Attackers don't connect directly to the target systems and stay under the radar.

Here are some handy one-liners to automate subdomains enumeration using tools like subfinder and assetfinder.

It may be usefull for bug bounty hunting

echo 'target.com'|(subfinder -all||assetfinder -subs-only)|uniq -u > domains.txt

Subfinder is a fast passive subdomain enumeration tool wich rely on multiple OSINT techniques like Certificate Transparency logs enumeration.

To set API keys, add them to $HOME/.config/subfinder/provider-config.yaml. See the ProjectDiscovery's Documentation for details.

# Subfinder One-Liner
subfinder -d target.domain -all -cs > tmp.txt ; cat tmp.txt | cut -d "," -f 1 > domains.txt ; rm tmp.txt

# Standard enumeration with subfinder
subfinder -d "target.domain"

# Pipe subfinder with httpx to find HTTP services
echo "target.domain" | subfinder -silent | httpx -silent

OWASP's Amass (Go) tool can gather information through DNS bruteforcing, DNS sweeping, NSED zone walking, DNS zone transfer, through web archives, through online DNS datasets and aggregators APIs, etc. But we can use it to only do passive enumeration

amass enum --passive -d "domain.com"

We may use crt.sh and curl to find subdomains

curl -s 'https://crt.sh/?q=<TARGET.URL>&output=json'|jq

Virtual host fuzzing

A web server can host multiple websites for multiple domain names (websites). In order to choose what website to show for what domain, many use what is called "virtual hosting". Virtual hosting can be based on a name, an IP, or a port (read more).

When having a domain name as scope, operating virtual host (a.k.a. vhost) fuzzing is recommended to possibly find alternate domain names of subdomains that point to a virtual host.

Gobuster (go) can be used to do virtual host bruteforcing

gobuster vhost --useragent "PENTEST" --wordlist "/path/to/wordlist.txt" --url http://$BASE_DOMAIN/ --append-domain

ffuf (go) can also be used to do virtual host bruteforcing

ffuf -H "Host: FUZZ.$DOMAIN" -H "User-Agent: PENTEST" -c -w "/path/to/wordlist.txt" -u $URL

Google & Bing Dorks

Search engines like Google and Bing offer Dorking features that can be used to gather specific information.

Google Dorks

DNS Enumeration

We may try to enumerate DNS informations.

DNS Enumeration

Last updated 2 months ago