The complete subdomain Enumeration Guide

The complete subdomain Enumeration Guide

What is a subdomain? Sub-domain as can be seen in the figure is the a subdivision of a domain.

Figure : Subdivision of a domain.

The complete subdomain Enumeration Guide

There is something also known as sub-sub domain. Which is basically Vertical Co-relation of Domain and Acquisitions known as Horizontal Domain Co-relation

Some of open source Tools available

Subfinder- https://github.com/subfinder/subfinder Amass — https://github.com/caffix/amass Sublister — https://github.com/aboul3la/Sublist3r Aquatone — https://github.com/michenriksen/aquatone Knockpy — https://github.com/guelfoweb/knock

Discovering Target Using ASN (IP Blocks)

http://bgp.he.net
https://whois.arin.net/ui/query.do
https://apps.db.ripe.net/db-web-ui/#/fulltextsearch
https://reverse.report/ https://www.shodan.io/searchquery=org%3A%22Facebook%22
https://pentest-tools.com/
https://virustotal.com/
https://www.shodan.io/
https://crt.sh/?q=%25target.com
https://dnsdumpster.com/
https://censys.io
http://dnsgoodies.com

Brand Discovery Acquisitions

Time to increase the scope with parent and child organisations, or acquisitions by the main company.

  1. https://www.crunchbase.com/search/acquisitions
    2. Trademark In Google: ” “Facebook Inc © 2020” “Facebook Inc © 2019” “Facebook Inc © 2018” inurl:facebook
    3. Reverse whois. (my favorite)

Brand Discovery Acquisitions

Let’s start by checking the whois result of facebook.com

Figure: whois result of facebook.com

Brand Discovery Acquisitions

As you can notice the Tech Organisation is Facebook, Inc Tech Email — domain@fb.com
1. Viewdns.info
2. https://github.com/vysecurity/DomLink
3. WhoisXMLAPI (my favourite)

Brand Discovery Acquisitions

Brand Discovery Acquisitions

Limited Results with viewdns.info

Brand Discovery Acquisitions

3441Results with https://tools.whoisxmlapi.com/

Subdomain using some more ways

  • RAPID7 SONAR: curl -silent https://scans.io/data/rapid7/sonar.fdns_v2/20170417- fdns.json.gz | pigz -dc | grep “.icann.org” | jq
    DNSRECON: python dnsrecon.py -n ns1.insecuredns.com -d insecuredns.com -D subdomains-top1mil-5000.txt -t brt
    ALTDNS: python altdns.py -i icann.domains -o data_output -w icann.words -r -s results_output.txt

Subdomain using some more ways

DIG:
dig +multi AXFR @ns1.insecuredns.com insecuredns.com
DNSSEC:
dig +multi +dnssec A paypal.com dig +dnssec @ns1.insecuredns.com firewall.insecuredns.com
Zone walking NSEC — LDNS
root@rohit:~ ldns-walk @name_server domain_name

Subdomain using some more ways

  • ZONE WALKING NSEC DIG: You can list all the sub-domains by following the linked list of NSEC records of existing domains.
    • $ dig +short NSEC api.tesla.com $ dig +short NSEC apm.tesla.com
    • MASSDNS: root@rohit:~./bin/massdns -r resolvers.txt -t AAAA -w results.txt domains.txt

Subdomain using some more ways

Subdomain using some more ways

Get ASN Number: Autonomous System Number (ASN) -> http://bgp.he.net -> check for example tesla.com and checkin Prefixes V4 to get the IP range

Subdomain using some more ways

  • SUBLERT : This tool which leverages certificate transparency to automatically monitor new subdomains deployed by specific organizations and issued TLS/SSL certificate

Subdomain using some more ways

  • Wayback Enumeration → waybackurl
    python waybackurls.py — help
    ./waybackunifier — help
    • archive.org

Subdomain using JS files

  • Parsing JavaScript : Parsing JS is very useful to find the directories which is used by the target. We can use it instead of brute-forcing subs. • Jsparser Run handler.py and then visit http://localhost:8008 • python linkfinder.py -i https://example.com/1.js -o results.html

Subdomain using Github

Github Recon to find juicy subs about the target
• Gitrob ./gitrob google To see the result go to browser and type localhost:9393
• Trufflehog trufflehog https://github.com/SeppPenner/postgres.git
• Manual : https://github.com/techgaun/github-dorks https://github.com/techgaun/github-dorks/blob/master/github-dorks.txt

About Me

• Ethical Hacker & Cyber Security Consultant

Rohit Gautam

--

--

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
Shifa cyclewala

Shifa cyclewala

CEO&Founder at Hacktify Cyber Security