Subdomains enumeration
Theory
When conducting penetration tests on a website, or on a *.domain.com
scope, finding subdomains of the target can help widen the attack surface. There are many different techniques to find subdomains that can be divided in two main categories.
Practice
Passive enumeration
Passive enumeration is the process of collecting information about a specific target from publicly available sources that can be accessed by anyone. Attackers don't connect directly to the target systems and stay under the radar.
Subfinder is a fast passive subdomain enumeration tool wich rely on multiple OSINT techniques like Certificate Transparency logs enumeration.
Virtual host fuzzing
A web server can host multiple websites for multiple domain names (websites). In order to choose what website to show for what domain, many use what is called "virtual hosting". Virtual hosting can be based on a name, an IP, or a port (read more).
When having a domain name as scope, operating virtual host (a.k.a. vhost) fuzzing is recommended to possibly find alternate domain names of subdomains that point to a virtual host.
Gobuster (go) can be used to do virtual host bruteforcing
Google & Bing Dorks
Search engines like Google and Bing offer Dorking features that can be used to gather specific information.
pageGoogle DorksDNS Enumeration
We may try to enumerate DNS informations.
pageDNS EnumerationLast updated