.png)
4 months ago
37 BOOK THIS SPACE FOR AD
ARTICLE AD
Hey guys it’s Yash Again, Today we are going to learn about Importance of Subdomain enumeration ; Ya Ya i know that many of you know how to perform subdomain BUT Do You Really know how to preform sub-domain Enumeration IN DEPTH, Today I Am Talking About Hidden way of subdomain enumeration that Top Bug Bounty Hunter USE In there Sub-domain Enumeration Part. with Best Wordlists Out There
Common Ways of finding subdomains using tools. so i am not going to Explain all the things But today i’ll cover only IMPORTANT thing that i think New bug bounty hunter should know
Top tools that i think bug bounty hunter should use 1st is Our favorite is Amass, Then subfinder so i am not going to spend a lot of time for explaining these tools i will provide there commands below You can use the help menu for understanding this flags/commands
amass enum -passive -norecursive -noalts -d $Domain -o Output.txtsubfinder -d $domain -v -t 25 -o subfinder.txtI personally Use this flags/commands while using this tools
IN-DEPTH
so Now main part of the story In-Depth Approach
How many of you know the OneForAll, A Powerful Chinese Subdomain Enumeration Tool
OneforAll tools is Killer tool for finding sub-domains You can read this tool information Here & Also You Can Download this Tool using follwoing command
git clone https://github.com/shmilylty/OneForAll.git ; cd OneForAll/ ; python3 -m pip install -U pip setuptools wheel ; pip3 install -r requirements.txt ; python3 oneforall.py --helpJust keep in mind that → python3 should be at least version 3.8.0 and pip3 at least version 19.2.2.
Sub-domain Brute Forcing
I think many people know how to brute force sub-domains. In this blog i am going to share my tools that i use in the sub-domain brute forcing, wordlists , best wordlists accroding to me. Using those wordlist i get unique sub-domains that are freash.
Tools
for sub-domain brute forcing i use PureDNS tool command will be provided below. for more information you can read This
Wordlists
I use SecLists, FuzzDB And You Can use this AssetNote wordlists. And i want to highlight this best-dns-wordlist.txt make sure to use this file for sub-domain brute forcing.
Try Lots of differents wordlists for brute forcing. Using this method you will find a lot of unique sub-domains After Getting most of the sub-domains try to find the sub-domain takeover.
puredns bruteforce ~/w/SecLists/Discovery/DNS/dns-Jhaddix.txt $domain -r ~/w/purednsResolvers/resolvers.txt >> puredns2.txtAnd You can use this file as an resolvers
Also i have lots of Other methods too we will discus them in another blog post happy Hunting All 🎔 & also i don’t want to make this blog big so.
POC
Using Above listed method i am able to find some cool bugs like sqli, Rxss, Sensitive information disclosure.
You can connect me On Linkedin & X.
In this blog we talk about the best wordlists for sub-domain brute forcing tool that i personally use for sub-domain brute forcing & One Powerfull tool that is OneforAll
Thank You ❟❛❟ Make Sure to Follow on Medium. I am going to write More blogs about Bug Bounties & Security Research.
Bengali (Bangladesh) · 
English (United States) ·