Subdomains Enumeration: Tools, Techniques, and Tips

5 months ago 44

BOOK THIS SPACE FOR AD

ARTICLE AD

In our previous adventure, we gathered a treasure trove of information: IPs, CIDRs, ASNs, IP ranges, live IPs, open ports, and hostnames (subdomains). 🕵️‍♂️📦 This time, we’re diving deep into the ocean of subdomain enumeration tools and techniques. But first, let’s get cozy with the basics of TLDs, domains, and different domain levels! 🏊‍♂️💻

Domain Hierarchy

For beginner bug hunters, sub-domain enumeration is essential because:

Discover Hidden Vulnerabilities: Uncovering sub-domains helps you find lesser-known parts of a website where vulnerabilities might be hiding. 🕵️‍♂️Expand Attack Surface: Identifying sub-domains gives you a broader view of the website’s infrastructure, revealing more potential targets to test. 🌐Find Sensitive Information: Some sub-domains may expose sensitive data or internal tools that can be exploited. 🔓Spot Mis-configurations: Sub-domains often have mis-configurations or outdated plugins, scripts, functions making them easier to exploit. 🛠️Improve Overall Security: By finding and reporting bugs in sub-domains, you help the organization secure their entire web presence, not just the main site. 🛡️

DNS Hijacking (DNS Redirection) 🎣 : Attackers change the domain’s DNS settings to redirect users to malicious websites. 😱👿DNS Spoofing (Cache Poisoning) 💉: Corrupting DNS cache entries to redirect users to malicious sites. 🕵️‍♂️🔀Sub-Domain Takeover 🏴‍☠️: Exploiting misconfigured or unclaimed sub-domains to take control of them. 👻💻Domain Squatting (Cybersquatting) 💰: Registering domains that are similar to well-known brands to profit from user mistakes. 😈💸Typosquatting ✏️: Registering domains with common typos of popular websites to catch mistyped URLs. 🤦‍♂️🖥️DNS Tunneling 🚇: Using DNS queries and responses to transmit data, often for malicious purposes like exfiltrating data or bypassing firewalls. 🕳️💻DNS Amplification Attack 📢: Using DNS servers to amplify traffic and launch Distributed Denial of Service (DDoS) attacks on targeted domains.💥🌐

Step 1: Collecting AMA Subdomains 🕵️‍♂️🔎

First, we need to gather all the juicy subdomains of our target. We’ll be using our awesome arsenal of tools and websites:

Website Tools:🦸‍♂️ crt.sh: Certificate Transparency logs to uncover subdomains.🛡️ VirusTotal: Scan for any suspicious domains.🏢 Chaos ProjectDiscovery: The ultimate chaos for finding hidden gems.Terminal Tools:🕵️‍♀️ subfinder: Quickly find subdomains.🕸️ amass: Dive deep into the domain space.⚙️ chaos client: Chaos but in a controlled manner.🦾 ffuf: Bruteforce your way to victory.👽 oneforall: All-in-one subdomain hunter (VPC only).🌀 massdns: Massively resolve DNS queries (VPC only).🔄 shuffledns: Shuffle and resolve like a pro (VPC only).

Step 2: Filtering Out Duplicates and Finding Live Ones 🧹🔗

Step 3: Analyzing Live Subdomains 🖼️🔍

Uncover Subdomains with crt.sh 🕵️‍♂️

Crt.sh is a website of certificate Transparency logs to uncover subdomains.

1. Visit crt.sh🌐
— Open your favorite browser and go to [crt.sh](https://crt.sh).

2. Search for Your Domain 🔍
— In the search bar, type ”domain.com” (replace this with your actual domain).

3. Inspect the Results 🧐
— You’ll see a list of certificates with info like ID, domains, subdomains, certificate issuer names, and validation dates.

4. Gather the Subdomains 📋
— Copy and paste the subdomains from the list into your own list.

Explore Domains with VirusTotal 🕵️‍♀️🦠

VirusTotal is an all-rounder tool that gives you every bit of information about a domain! 🌐 Here’s how you can dig into the details:
— — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — —
Details Tab 📋

DNS Records: Check out where the domain points. 🌍Whois Record: Learn who owns the domain. 🕵️‍♂️Certificate Details: Get info on SSL certificates. 🔐

— — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — —
Relation Tab 🔗

Passive DNS Replication: See DNS records over time. ⏳Subdomains: Discover all the little sibling domains! 🏠Communicating Files: Find files that have interacted with the domain. 📁Historical Whois Lookups/SSL Certificates: Track the domain’s history. 🕰️Graph: Visualize all this info in a cool graph! 📊 (The most important!)

Steps:
1. Go to “virustotal.com” and Login/Register 🖥️🔑
2. Enter the domain name without “https://www" or “/” (remove forward slashes). Example: type facebook.com (not https://www.facebook.com/) ❌
3. Go to the Relation Tab ➡️ Graph ➡️ Click the “www” node.

4. Double-click the subdomain nodes to load more subdomains. 🖱️

5. A pop-up will appear and click the download button.📥

6. You’ve got all the subdomains! 🏆

Get Subdomains with Chaos Projectdiscovery 🌐💥

Chaos Projectdiscovery offers a treasure trove of subdomains from publicly available bug bounty programs worldwide. The best part? It’s free and updated daily! 🚀

Steps :
1. Open your browser and visit the Chaos Projectdiscovery website.🖥️🔍
2. Type the target 🏹name in the search box.
Example: type facebook to search for Facebook subdomains.
3. Once you find the results, download 📥 the file to get the complete list of subdomains.

Power of Amass for Subdomain Enumeration 💻🔍

Amass is a superhero tool for finding subdomains, using both passive and active methods to get the most comprehensive results. 🦸‍♂️🕵️‍♂️ Here’s how you can use Amass for bug bounty hunting and penetration testing:

# Full Enumeration (Active + Passive):
amass enum -d example.com -o subdomains.txt

# Specifying a Wordlist for Brute Force:
amass enum -d example.com -brute -w wordlist.txt

# Enumeration using ASN
amass enum -d example.com -asn 13335

# Enumeration using CIDR
amass enum -d example.com -cidr 192.168.1.0/24

# Note
Flag -o subdomains.txt is used to save results in to txt files

this command can cover overall subdomains 😎

Power of OneForAll Subdomain Enumeration 🌐🔍

OneForAll is a supercharged tool designed for subdomain sleuthing, tapping into various data sources and techniques. When you fire it up, all modules kick into action, turbocharging your discovery process. 💻⚡️

# Basic enumeration for a single target domain
python3 oneforall.py --target example.com run

# Enumeration for multiple target domains listed in a file
python3 oneforall.py --targets ./domains.txt run

# Disable checking if subdomains are alive (skip ping check)
python3 oneforall.py --target example.com --alive False run

# Disable brute-force subdomain enumeration
python3 oneforall.py --target example.com --brute False run

# Use medium port scan range during enumeration
python3 oneforall.py --target example.com --port medium run

# Output results in CSV format
python3 oneforall.py --target example.com --fmt csv run

# Disable DNS resolution for discovered subdomains
python3 oneforall.py --target example.com --dns False run

# Disable HTTP(S) request checks for discovered subdomains
python3 oneforall.py --target example.com --req False run

# Disable checking for subdomain takeover vulnerabilities
python3 oneforall.py --target example.com --takeover False run

# Display detailed results in the console
python3 oneforall.py --target example.com --show True run

For a deep dive into usage and commands, dive into the official documentation available at: [GitHub Documentation](https://github.com/shmilylty/OneForAll/blob/master/docs/en-us/README.md). 📚🔗

This tool is your trusty sidekick in the world of bug bounties and penetration testing, making subdomain discovery a breeze! 🦸‍♂️💼

Power of Subfinder Subdomain Enumeration 🌐🔍

Subfinder is a specialized tool for discovering valid subdomains of websites through passive online sources. With its streamlined, modular architecture, Subfinder is optimized for speed and efficiency. It excels in passive subdomain enumeration, focusing solely on this task with high effectiveness. 💻⚡️

# Basic usage to find subdomains for a single domain
subfinder -d example.com -o subdomains.txt

# Find subdomains for multiple domains listed in a file
subfinder -dL domains.txt

# Use all available sources for enumeration (this may be slow)
subfinder -d example.com -all

# Note
Flag -o subdomains.txt used to save output into text file

Widely favored among bug bounty hunters, Subfinder stands out as a top choice due to its speed and effectiveness in uncovering subdomains. 🦸‍♂️💼

FFuF: The Furious Web Fuzzer 🚀

FFuF (Fuzz Faster U Fool) is your go-to tool for lightning-fast web fuzzing, written in Go. It’s your Swiss Army knife for brute-forcing domains, discovering directories and files, and fuzzing parameters. Just type “FUZZ” and let it do its magic! 🔍💥

# Subdomain Enumeration:
ffuf -u http://FUZZ.example.com -w /path/to/wordlist.txt

# Directory and File Discovery:
ffuf -u http://example.com/FUZZ -w /path/to/wordlist.txt

# Want specific extension output:
ffuf -u http://example.com/FUZZ -w /path/to/wordlist.txt -e .php,.html,.js

# Filtering by Status Codes:
ffuf -u http://example.com/FUZZ -w /path/to/wordlist.txt -mc 200,301

# Subdomain Enumeration with Verbose Output and Custom Headers:
ffuf -u http://FUZZ.example.com -w /path/to/wordlist.txt -H "Host: example.com" -v

Bug bounty hunters swear by FFuF — it’s their first choice for aggressive yet effective reconnaissance in penetration testing and bug hunting adventures. 🦸‍♂️🔎

Let’s merge these files and harness the combined power of our subdomain discoveries! Together, we’ll conquer the digital landscape! 🌍🔓

Supposed here we have used:
website crt.sh ➡️save subdomains➡️ crtsh.txt file
website virustotal ➡️save subdomains➡️ virustotal.txt
Tool Amass ➡️save subdomains➡️ amass.txt
Tool Oneforall ➡️save subdomains➡️ oneforall.txt
Tool Subfinder ➡️save subdomains➡️ subfinder.txt
Tool Ffuf ➡️save subdomains➡️ ffuf.txt

# combine all file
cat crtsh.txt virustotal.txt amass.txt oneforall.txt subfinder.txt ffuf.txt > final-subdomains.txt

After tidying up our list to remove duplicates, it’s time to pinpoint the active host 🌟 ones — those hosts that are ready to chat! 🎉

Using httpx-toolkit: Fire up httpx for HTTP/HTTPS probing to see which targets are itching to respond to our web requests. 🚀🕵️‍♂️

# Example usage to find online hosts using httpx
cat targets.txt | httpx -silent

Using DNSX: Turn to dnsx for quick DNS queries to verify which hosts are proudly sporting active DNS records. 🌐🔍

# Example usage to find online hosts using dnsx
cat targets.txt | dnsx -silent

Take your pick and let’s uncover those live hosts! Time to knock on digital doors and see who’s home. 🏠💻

Ever wondered what’s behind those mysterious subdomains? Let Eyewitness shed some light! 🌟

EyeWitness, an open-source cyber sleuth, snaps screenshots of websites, services, and apps on specified hosts. Perfect for pen testers and bounty hunters, it swiftly uncovers and documents web apps across tons of domains or IPs. 🛡️🕵️‍♂️

EyeWitness isn’t picky — it handles HTTP, HTTPS, RDP, VNC, and more, making it your all-in-one recon and report buddy. 🌐📸

# Basic Screenshot Capture from a List of URLs/subdomains:
EyeWitness.py --web -f urls.txt -d output

# Using with Nmap Results:
EyeWitness.py --web -x nmap_output.xml -d output

# Specifying Custom Ports:
EyeWitness.py --web -f urls.txt --ports 80,443,8080 -d output

Once done, just peek into your output folder for screenshots. They’re like digital Polaroids, revealing the secrets of each URL or subdomain. 🖼️💻

With this guide, you now have a solid understanding of the basics of TLD, domains, sub-domains, and how to use tools/websites like amass, subfinder, oneforall, virustotal, crt.sh etc. for effective subdomains enumeration. 🎯🕵️‍♂️

Stay tuned for the next part of this series, where we’ll dive even deeper into advanced recon techniques and uncover more secrets of the digital world. 🌐🔍✨

Until then, happy hunting and keep exploring! 🐛🔦

Read Entire Article