Professional Documents
Culture Documents
Subdomain enumeration
What is it?
Search engine dorking
Archiving website
Tools
DNS datasets
Certificate Transparency
DNS brute forcing
Permutation scanning
What is it?
Subdomain enumeration 1
When we talk about subdomain enumeration, we have several options to grab as
many subdomains as possible. This is so that we can compose a list of
subdomains for later investigations.
We have several process available to us that help make this process easier and
help us grab more subdomains.
Subdomain enumeration 2
We can use many different search engines to execute this dorking process so
automation is more than welcome.
https://github.com/OWASP/Amass
https://github.com/fwaeytens/dnsenum/
Archiving website
Subdomain enumeration 3
There are 3 big players in the market of archiving the internet. These websites are
set up so that we still enjoy the internet to a greater extend, even if the websites
we love so much don't exist anymore. We can still visit them and even on existing
websites we can grab that hint of nostalgia we all cherish. These websites take a
snapshot of the target they are currently crawling if allowed and will index that in
their databases. This is very useful for us as hackers since we can grab these
snapshots and get the subdomains from them.
There is NO guarantee these subdomains are still online though and we will have
to check them with the technique we will see in the httprobe chapter.
https://archive.org/web/
https://archive-it.org/
https://archive.ph/
Tools
Subdomain enumeration 4
See search engine dorking
DNS datasets
There are certain sources out there that gather subdomains. All of the have a
different goal but they share one property. They all have a list of subdomains that
we can use to query for new subdomains to add to our list.
We can again manually go through these datasets, but tools are much more
recommended.
https://dnsdumpster.com/
https://otx.alienvault.com/
https://github.com/jonluca/Anubis-DB
...
We can also use tools like amass again to gather subdomains from these passive
sources.
Certificate Transparency
Some certificate authorities CA's) have made all the certificates they ever issues
public. These certificates contain a goldmine of information, including domains,
subdomains and email adresses.
Subdomain enumeration 5
We can again go through all these certificates ourselves, but there are perfectly
valid solutions to check for this.
https://crt.sh/
https://censys.io/
https://developers.facebook.com/tools/ct/
https://google.com/transparencyreport/https/ct/
Subdomain enumeration 6
We can automate all this with scripts like ct.py from massdns
https://github.com/blechschmidt/massdns
https://github.com/darkoperator/dnsrecon
Permutation scanning
Permutation scanning is a variation on DNS brute forcing. We are going to take our
list of known subdomains and we are going to create a list with permutations on
that original list.