Subdomain Identification & Enumeration

Subdomain enumeration is the process of finding valid (resolvable) subdomains for one or more domain(s), Unless the DNS server exposes a full DNS zone (via AFXR)

Note

DNS zone transfer protocol, also sometimes known by the inducing DNS query type AXFR, is a type of DNS transaction. It is one of the many mechanisms available for administrators to replicate DNS databases across a set of DNS servers.

Danger

is it safe ??

Tools

1. Sublist3r (Subdomains bruteforce)

Sublist3r discovers subdomains using search engines such as Google, Yahoo, Bing, Baido, Ask, Netcraft and DNSdumpster.

you might encounter non-resolvable subdomains (domains responding with NXDOMAIN). This is because Sublist3r relies heavily on passive data and it doesn't validate whether the found subdomains really exist

$ python sublist3r.py -d example.com

2. DNSRecon

dnsrecon.py -h
dnsrecon.py -d domain.fr

# You can do dictionnary enumeration
# -n : nameserver used
# -t : type (brt=brute domain and hosts using a given dictionnary)
dnsrecon.py -n ns1.insecuredns.com -d insecuredns.com -D subdomains-top1mil-5000.txt -t brt
  

3. theHarvester

finds e-mail addresses on target domains as well as subdomains and virtual hosts. However, compared to Sublist3r, it provides fewer subdomain results.

$ sudo apt install theHarvester

$ theHarvester -d machine.htb -l 500 -b google

4. Subfinder

# Subdomain discovery tool that discovers valid subdomains for websites by using passive online sources.https://github.com/projectdiscovery/subfinder
$ subfinder -d freelancer.com -o output.txt

$ subfinder -dL domains.txt -oD ~/path/to/output

$ cat domains.txt | subfinders -subs

5. ffuf

# You can also uses ffuf in order to bruteforce for subdomains

# Option 1
# Redirecting to the host
$ ffuf -u https://mydomain.com -w my_wordlist -H "Host: FUZZ.mydomain.com"

# Option 2
# But you'll have to wait for the timeout
$ ffuf -u https://FUZZ.mydomain.com -w my_wordlist
  

And alot more … Offensive Security Cheatsheet

Techniques

1. Google Dorks & Bing Dorks

# Google dorks are usefull for finding new subdomains
site:wikipedia.org
site:*.wikipedia.org -www -store -jobs -uk

# When you use the Google Dork:  site:*.example.com, NEVER forget to check
site:*.*.example.com
site:*.*.*.example.com 

# Github dorks also allow to find many subdomains
"teslamotors.com" password
# ...
  

2. Online services

Rapid7 DNS dataset ==> DNSDumpster

3. Zone transfer

The most simple and basic technique is to try an AXFR request directly on the DNS server:

$ dig @ns.example.com example=.com AXFR
  

The best practice advises administrators to allow AXFR requests only from authorized DNS servers, so the above technique will probably not work. But if it does, you have found a goldmine.

see also Nmap Script dns-nsec-enum

4. Subject Alternative Name (SAN)

is an extension in x.509 certificates to provide different names of the subject in one certificate. Companies often generate one certificate for multiple subdomains to save money.

We can look into certificates to hunt for subdomains in SAN's using two different sources:

Censys.io

https://censys.io/certificates?q=.example.com

Crt.sh

https://crt.sh/?q=%25.example.com