Skip to content

02 Subdomain Enumeration

OSINT - SSL/TLS Certificates

  • When an SSL/TLS (Secure Sockets Layer/Transport Layer Security) certificate is created for a domain by a CA (Certificate Authority), CA's take part in what's called "Certificate Transparency (CT) logs".
  • Below sites a searchable database of certificates
  • https://crt.sh/
  • https://ui.ctsearch.entrust.com/ui/ctsearchui/

OSINT - Search Engines

  • Use google dorks to find the list of subdomains. 
    1
    site:*.example.com

DNS Bruteforce

  • Bruteforce DNS (Domain Name System) enumeration is the method of trying tens, hundreds, thousands or even millions of different possible subdomains from a pre-defined list of commonly used subdomains. 
    1
    dnsrecon -d example.com

OSINT - Sublist3r

  • Sublist3r tool is used to enumerate all the subdomains.
  • Use the below command to start finding the subdomains. 
    1
    sublist3r.py -d example.com

Virtual Hosts

  • Some subdomains aren't always hosted in publicly accessible DNS results, such as development versions of a web application or administration portals.
  • Because web servers can host multiple websites from one server when a website is requested from a client, the server knows which website the client wants from the Host header.
  • We can utilize this host header by making changes to it and monitoring the response to see if we've discovered a new website. 
    1
        ffuf -w /usr/share/wordlists/SecLists/Discovery/DNS/namelist.txt -H "Host: FUZZ.acmeitsupport.thm" -u http://10.10.212.66
  • Filter out the results based on size in FFUF using the -fs switch. 
    1
        ffuf -w /usr/share/wordlists/SecLists/Discovery/DNS/namelist.txt -H "Host: FUZZ.acmeitsupport.thm" -u http://10.10.212.66 -fs 2395