Discovering Hidden Subdomains: Tools, Techniques

Subdomain enumeration is a critical aspect of web application penetration testing. While many subdomains are public-facing and easy to discover, others remain hidden — posing significant security risks if left unchecked. For ethical hackers and bug bounty hunters, uncovering these hidden subdomains can lead to critical vulnerabilities, including misconfigurations, outdated services, or sensitive data exposure.

In this blog, we will explore the practical techniques and tools for discovering hidden subdomains, equipping you with the knowledge to find security weaknesses in web applications and networks.

Subdomains can often provide additional attack surfaces that are not as carefully monitored or secured as the primary domain. By discovering hidden subdomains, penetration testers can:

Find vulnerable services: Services running on subdomains may be misconfigured or outdated.Access sensitive data: Hidden subdomains may have exposed sensitive information that could be leveraged in further attacks.Bypass security measures: Subdomains might bypass security measures such as firewalls or access controls, offering attackers an easier entry point.

Before jumping into tools, it’s important to understand the techniques used to uncover hidden subdomains. Here’s how you can approach subdomain discovery:

DNS Zone Transfers

A DNS zone transfer can sometimes be used to retrieve a full list of subdomains associated with a domain. Misconfigured DNS servers may allow unauthorized users to request the entire zone file, exposing subdomain details.

How to test: Use tools like dig or nslookup to attempt a zone transfer.dig axfr @dns-server target.com

Brute Force Subdomain Enumeration

This method involves using a dictionary of common subdomain names and attempting to resolve them via DNS queries. This can help uncover hidden subdomains not listed in public records.

How to test: Tools like dnsrecon, sublist3r, or Amass can be used to automate brute-force enumeration. Example with sublist3r:sublist3r -d target.com -o subdomains.txt

Google Dorks

Google’s search engine can be used to find subdomains indexed in search results. By using advanced search queries (dorks), you can find pages that may reference hidden subdomains.

Example Dork:site:target.com -wwwThis search will list pages indexed under the target.com domain excluding www.

Certificate Transparency Logs

SSL/TLS certificates are often issued for subdomains. By searching through Certificate Transparency (CT) logs, attackers can discover subdomains that have SSL certificates but are not publicly listed.

How to test: Use websites like crt.sh to search for certificates issued to target.com.

This technique involves identifying subdomains that are not currently in use or have been abandoned by the target organization. These subdomains may still resolve to IP addresses or services that can be exploited for malicious purposes, such as hosting malicious content or intercepting traffic.

How to test: Tools like Subjack or Takeover can help identify subdomains vulnerable to takeover. Example with Subjack:subjack -w subdomains.txt -t 100 -o subdomains_vulnerable_to_takeover.txt

There are several tools that can automate subdomain discovery. Let’s explore the most effective ones for penetration testers and bug bounty hunters:

Amass

Amass is one of the most powerful tools for subdomain enumeration. It uses both active and passive techniques to gather subdomains.

How to use:amass enum -d target.com -o amass_output.txt

Sublist3r

Sublist3r is a popular tool for discovering subdomains using search engines and brute-forcing. It’s lightweight and fast, ideal for initial recon.

How to use:sublist3r -d target.com

Subfinder

Subfinder is another fast and reliable tool that focuses on passive subdomain discovery by querying public sources like search engines, DNS records, and certificate transparency logs.

How to use:subfinder -d target.com -o subfinder_output.txt

Knockpy

Knockpy is a Python tool designed for DNS subdomain discovery through brute-forcing. It allows you to quickly test a list of subdomains using a wordlist.

How to use:knockpy target.com

DNSrecon

DNSrecon is a comprehensive tool for DNS enumeration. It supports zone transfers, brute-forcing, and subdomain enumeration.

How to use:dnsrecon -d target.com

After discovering a list of subdomains, it’s important to validate them. Ensure that they are active and accessible.

Use curl or httpx to check HTTP response headers for each subdomain.

httpx -l subdomains.txt

Use tools like nmap to scan for open ports and services running on discovered subdomains.

nmap -p 80,443 -iL subdomains.txt

Perform basic vulnerability scans using tools like Nikto or Dirbuster to look for misconfigurations or sensitive files exposed by hidden subdomains.

Let’s look at a practical example of how a penetration tester might use the techniques above to discover hidden subdomains:

Step 1: Initial Enumeration with Amass

Run amass to gather a list of subdomains.

Example:amass enum -d target.com -o subdomains_amass.txt

Step 2: Brute Force with Sublist3r

Use sublist3r to brute-force additional subdomains.

Example:sublist3r -d target.com -o subdomains_sublist3r.txt

Step 3: Cross-Checking with Google Dorks

Run a Google Dork to find any subdomains indexed that weren’t caught in the automated scans.

Example:site:target.com -www

Step 4: Subdomain Takeover

Use Subjack to check if any discovered subdomains are vulnerable to takeover.

Example:subjack -w subdomains.txt -t 100 -o takeover_vulnerable.txt

Discovering hidden subdomains is a crucial part of a penetration tester’s toolkit. Subdomains often serve as entry points into deeper layers of a target’s network, and uncovering them can lead to critical vulnerabilities. Using a combination of techniques like DNS zone transfers, brute-forcing, and leveraging tools such as Amass and Sublist3r, you can enhance your subdomain discovery process and increase your chances of finding valuable attack surfaces.