Subdomain enumeration

A friend recently asked me what methods I use to find subdomains. To be honest I was confused, like “oooohhh so much, brute force mmm… zone transfer and… brute for… wait Google and mmm… many other tools!” What a shame that I was so inaccurate after so much time spent to look for subdomains. Time to dig a little bit! After I wrote a list of the most popular methods, I tried to make a list of some tools and online resources to exploit them. Of course this list is far from exhaustive, there are many new stuff every day, but it’s still a good start :)

Methods

Brute force
The easiest way. Try millions and millions words as subdomains and check which ones are alive with a forward DNS request.

Zone transfer aka AXFR
Zone transfer is a mechanism that administrators can use to replicate DNS databases but sometimes the DNS is not well configured and this operation is allowed by anyone, revealing all subdomains configured.

DNS cache snooping
DNS cache snooping is a specific way to query a DNS server in order to check if a record exists in his cache.

Reverse DNS
Try to find the domain name associated with an IP address, it’s the opposite of Forward DNS.

Alternative names
Once the first round of your recon is finished, apply permutations and transformations (based on another wordlist maybe?) to all subdomains discovered in order to find new ones.

Online DNS tools
There are many websites that allow to query DNS databases and their history.

SSL Certificates
Request informations about all certificates linked to a specific domain, and obtain a list of subdomains covered by these certificates.

Search engines
Search for a specific domain in your favourite search engine then minus the discovered sudomains one by one site:example.com -www -dev

Technical tools/search engines
More and more companies host their code online on public platform, most of the time these services have a search bar.

Text parsing
Parse the HTML code of a website to find new subdomains, this can be applied to every resources of the company, office documents as well.

VHost discovery
Try to find any other subdomain configured on the same web server by brute forcing the HTTP Host header.

Exotic stuff
HTTP headers like Content-Security-Policy.
Sender Policy Framework records.
Zone walking.

Tools

Altdns: alternative names brute forcing
Amass: brute force, Google, VirusTotal, alt names
aquatone-discover: Brute force, Riddler, PassiveTotal, Threat Crowd, Google, VirusTotal, Shodan, SSL Certificates, Netcraft, HackerTarget, DNSDB
BiLE-suite: HTML parsing, alt names, reverse DNS
blacksheepwall: AXFR, brute force, reverse DNS, Censys, Yandex, Bing, Shodan, Logontube, SSL Certificates, Virus Total
Bluto: AXFR, netcraft, brute force
brutesubs: enumall, Sublist3r, Altdns
cloudflare_enum: Cloudflare DNS
CTFR: SSL Certificates
DNS-Discovery: brute force
DNS Parallel Prober: DNS resolver
dnscan: AXFR, brute force
dnsrecon: AXFR, zone walking, brute force, reverse DNS, snoop caching, Google
dnssearch: brute force
domained: Sublist3r, enumall, Knockpy, SubBrute, MassDNS, recon-ng
enumall: recon-ng -> Google, Bing, Baidu, Netcraft, brute force
Fierce: AXFR, brute force, reverse DNS
Knockpy: AXFR, virustotal, brute force
ldns-walk: zone walking (part of package ldnsutils)
MassDNS: DNS resolver
Second Order: HTML parsing
Sonar: AXFR, brute force
SubBrute: brute force
Sublist3r: Baidu, Yahoo, Google, Bing, Ask, Netcraft, DNSdumpster, VirusTotal, Threat Crowd, SSL Certificates, PassiveDNS
theHarvester: reverse DNS, brute force, Google, Bing, Dogpile, Yahoo, Baidu, Shodan, Exalead
TXDNS: alt names (typo/tld)
vhost-brute: vhost discovery
VHostScan: vhost discovery
virtual-host-discovery: vhost discovery

Online DNS tools

https://hackertarget.com/
http://searchdns.netcraft.com/
https://dnsdumpster.com/
https://www.threatcrowd.org/
https://riddler.io/
https://api.passivetotal.org
https://www.censys.io
https://api.shodan.io
http://www.dnsdb.org/f/
https://www.dnsdb.info/
https://scans.io/
https://findsubdomains.com/
https://securitytrails.com/dns-trails

https://crt.sh/
https://certspotter.com/api/v0/certs?domain=example.com
https://transparencyreport.google.com/https/certificates
https://developers.facebook.com/tools/ct

Search engines

http://www.baidu.com/
http://www.yahoo.com/
http://www.google.com/
http://www.bing.com/
https://www.yandex.ru/
https://www.exalead.com/search/
http://www.dogpile.com/
https://www.zoomeye.org/
https://fofa.so/

Technical tools/search engines

https://github.com/
https://gitlab.com/
https://www.virustotal.com/fr/

DNS cache snooping

nslookup -norecursive domain.com
nmap -sU -p 53 --script dns-cache-snoop.nse --script-args 'dns-cache-snoop.mode=timed,dns-cache-snoop.domains={domain1,domain2,domain3}' <ip>

Others online resources

https://ask.fm/
http://logontube.com/
http://commoncrawl.org/
http://www.sitedossier.com/

Bug Bounty Cons

This article is the following of the previous one (obviously...) about [why I love bug bounty](http://10degres.net/why-bugbounty/).Howeve...… Continue reading

« Find vulnerabilities in Flash SWF

Published on May 17, 2018

Why Bug Bounty »

Published on March 29, 2018