.png)
1 year ago
83 BOOK THIS SPACE FOR AD
ARTICLE ADBefore taking any action on any bug bounty program it is necessary to carefully read the rules of the program. As well as to be clear about the scope defined by the company to avoid problems.
For example, if the scope of a bug bounty program is defined as *.domain.com, it indicates that we can carry out the vulnerability analysis on any subdomain of the company.
Subdomain enumeration is especially helpful during penetration testing and bug bounty hunting to uncover an organization’s attack surface.
There are many techniques for subdomain discovery:
Using public resources like Google. For example, using Google Dorks site: www.domain.com site:*.domain.comReverse lookup from an IP block. If we know the ASN(Autonomous System Number) of the company we can extract the IP address block space from its prefixes. For example, 17.108.0.0/16 from which with the help of PTR queries we can try to find valid hosts.Bruteforce. It is based on wordlists for finding commonly used subdomains. For example, puredns.Seeing the different possibilities that we have to list subdomains at the end we must decide for the technique that simplifies the recon process and is as simple as effective.
Sublist3r is a fascinating tool, if we read its description in the github repository it tells us about:
Sublist3r is a python tool designed to enumerate subdomains of websites using OSINT. It helps penetration testers and bug hunters collect and gather subdomains for the domain they are targeting. Sublist3r enumerates subdomains using many search engines such as Google, Yahoo, Bing, Baidu and Ask. Sublist3r also enumerates subdomains using Netcraft, Virustotal, ThreatCrowd, DNSdumpster and ReverseDNS.
To install it we can execute the following commands:
git clone https://github.com/aboul3la/Sublist3r.gitsudo pip install -r requirements.txt
Let’s see its capabilities in action. Let’s assume that our target is *.github.com. With the tool already installed in our environment we will execute the command:
sublist3r -v -d github.com -t 5 -e bing -o ./github_sub_results.txt-d ( — domain): Domain name to enumerate-v ( — verbose): Enable verbosity and display results in realtime-t ( — threads): Number of threads to use for subrute bruteforce. Debemos de ser cautelosos ya que es posible que nuestras peticiones se vean denegadas por los búscadores si no establecemos un límite coherente.-e ( — engines): List of search engines separated by a comma.-o ( — output): Save the results to text file.This run will list the subdomains found on the root domain github.com.
Finally, let’s talk about crt.sh or how we can find subdomains by using SSL certificates.
It is based on the use of a domain’s transparency certificate to find all the subdomains whose transparency certificates are associated with it.
Note that Facebook offers a free service that allows us to monitor any change in the transparency certificate of a domain: https://developers.facebook.com/tools/ct/search/
An example of how to use the tool is shown below:
I should mention that these tools may not be the most effective and recommended for use in a recon. I just want to share information with the community and make known the different techniques and tools available.
I recommend you to take a look at my repository where I store all those tools and/or utilities that I use in my bug bounty environment: https://github.com/ermclm/bugbountyenv
Bengali (Bangladesh) · 
English (United States) ·