In our previous adventure, we gathered a treasure trove of information: IPs, CIDRs, ASNs, IP ranges, live IPs, open ports, and hostnames (subdomains). ๐ต๏ธโโ๏ธ๐ฆ This time, weโre diving deep into the ocean of subdomain enumeration tools and techniques. But first, letโs get cozy with the basics of TLDs, domains, and different domain levels! ๐โโ๏ธ๐ป
Domain Hierarchy
For beginner bug hunters, sub-domain enumeration is essential because:
Discover Hidden Vulnerabilities: Uncovering sub-domains helps you find lesser-known parts of a website where vulnerabilities might be hiding. ๐ต๏ธโโ๏ธExpand Attack Surface: Identifying sub-domains gives you a broader view of the websiteโs infrastructure, revealing more potential targets to test. ๐Find Sensitive Information: Some sub-domains may expose sensitive data or internal tools that can be exploited. ๐Spot Mis-configurations: Sub-domains often have mis-configurations or outdated plugins, scripts, functions making them easier to exploit. ๐ ๏ธImprove Overall Security: By finding and reporting bugs in sub-domains, you help the organization secure their entire web presence, not just the main site. ๐ก๏ธ
DNS Hijacking (DNS Redirection) ๐ฃ : Attackers change the domainโs DNS settings to redirect users to malicious websites. ๐ฑ๐ฟDNS Spoofing (Cache Poisoning) ๐: Corrupting DNS cache entries to redirect users to malicious sites. ๐ต๏ธโโ๏ธ๐Sub-Domain Takeover ๐ดโโ ๏ธ: Exploiting misconfigured or unclaimed sub-domains to take control of them. ๐ป๐ปDomain Squatting (Cybersquatting) ๐ฐ: Registering domains that are similar to well-known brands to profit from user mistakes. ๐๐ธTyposquatting โ๏ธ: Registering domains with common typos of popular websites to catch mistyped URLs. ๐คฆโโ๏ธ๐ฅ๏ธDNS Tunneling ๐: Using DNS queries and responses to transmit data, often for malicious purposes like exfiltrating data or bypassing firewalls. ๐ณ๏ธ๐ปDNS Amplification Attack ๐ข: Using DNS servers to amplify traffic and launch Distributed Denial of Service (DDoS) attacks on targeted domains.๐ฅ๐
Step 1: Collecting AMA Subdomains ๐ต๏ธโโ๏ธ๐
First, we need to gather all the juicy subdomains of our target. Weโll be using our awesome arsenal of tools and websites:
Website Tools:๐ฆธโโ๏ธ crt.sh: Certificate Transparency logs to uncover subdomains.๐ก๏ธ VirusTotal: Scan for any suspicious domains.๐ข Chaos ProjectDiscovery: The ultimate chaos for finding hidden gems.Terminal Tools:๐ต๏ธโโ๏ธ subfinder: Quickly find subdomains.๐ธ๏ธ amass: Dive deep into the domain space.โ๏ธ chaos client: Chaos but in a controlled manner.๐ฆพ ffuf: Bruteforce your way to victory.๐ฝ oneforall: All-in-one subdomain hunter (VPC only).๐ massdns: Massively resolve DNS queries (VPC only).๐ shuffledns: Shuffle and resolve like a pro (VPC only).
Step 2: Filtering Out Duplicates and Finding Live Ones ๐งน๐
Step 3: Analyzing Live Subdomains ๐ผ๏ธ๐
Uncover Subdomains with crt.sh ๐ต๏ธโโ๏ธ
Crt.sh is a website of certificate Transparency logs to uncover subdomains.
1. Visit crt.sh๐
โ Open your favorite browser and go to [crt.sh](https://crt.sh).
2. Search for Your Domain ๐
โ In the search bar, type โdomain.comโ (replace this with your actual domain).
3. Inspect the Results ๐ง
โ Youโll see a list of certificates with info like ID, domains, subdomains, certificate issuer names, and validation dates.
4. Gather the Subdomains ๐
โ Copy and paste the subdomains from the list into your own list.
Explore Domains with VirusTotal ๐ต๏ธโโ๏ธ๐ฆ
VirusTotal is an all-rounder tool that gives you every bit of information about a domain! ๐ Hereโs how you can dig into the details:
โ โ โ โ โ โ โ โ โ โ โ โ โ โ โ โ โ โ โ โ โ โ โ โ โ โ โ โ โ โ โ โ โ โ โ โ โ
Details Tab ๐
DNS Records: Check out where the domain points. ๐Whois Record: Learn who owns the domain. ๐ต๏ธโโ๏ธCertificate Details: Get info on SSL certificates. ๐
โ โ โ โ โ โ โ โ โ โ โ โ โ โ โ โ โ โ โ โ โ โ โ โ โ โ โ โ โ โ โ โ โ โ โ โ โ
Relation Tab ๐
Passive DNS Replication: See DNS records over time. โณSubdomains: Discover all the little sibling domains! ๐ Communicating Files: Find files that have interacted with the domain. ๐Historical Whois Lookups/SSL Certificates: Track the domainโs history. ๐ฐ๏ธGraph: Visualize all this info in a cool graph! ๐ (The most important!)
Steps:
1. Go to โvirustotal.comโ and Login/Register ๐ฅ๏ธ๐
2. Enter the domain name without โhttps://www" or โ/โ (remove forward slashes). Example: type facebook.com (not https://www.facebook.com/) โ
3. Go to the Relation Tab โก๏ธ Graph โก๏ธ Click the โwwwโ node.
4. Double-click the subdomain nodes to load more subdomains. ๐ฑ๏ธ
5. A pop-up will appear and click the download button.๐ฅ
6. Youโve got all the subdomains! ๐
Get Subdomains with Chaos Projectdiscovery ๐๐ฅ
Chaos Projectdiscovery offers a treasure trove of subdomains from publicly available bug bounty programs worldwide. The best part? Itโs free and updated daily! ๐
Steps :
1. Open your browser and visit the Chaos Projectdiscovery website.๐ฅ๏ธ๐
2. Type the target ๐นname in the search box.
Example: type facebook to search for Facebook subdomains.
3. Once you find the results, download ๐ฅ the file to get the complete list of subdomains.
Power of Amass for Subdomain Enumeration ๐ป๐
Amass is a superhero tool for finding subdomains, using both passive and active methods to get the most comprehensive results. ๐ฆธโโ๏ธ๐ต๏ธโโ๏ธ Hereโs how you can use Amass for bug bounty hunting and penetration testing:
# Full Enumeration (Active + Passive): # Specifying a Wordlist for Brute Force: # Enumeration using ASN # Enumeration using CIDR # Note
amass enum -d example.com -o subdomains.txt
amass enum -d example.com -brute -w wordlist.txt
amass enum -d example.com -asn 13335
amass enum -d example.com -cidr 192.168.1.0/24
Flag -o subdomains.txt is used to save results in to txt files
this command can cover overall subdomains ๐
Power of OneForAll Subdomain Enumeration ๐๐
OneForAll is a supercharged tool designed for subdomain sleuthing, tapping into various data sources and techniques. When you fire it up, all modules kick into action, turbocharging your discovery process. ๐ปโก๏ธ
# Basic enumeration for a single target domain # Enumeration for multiple target domains listed in a file # Disable checking if subdomains are alive (skip ping check) # Disable brute-force subdomain enumeration # Use medium port scan range during enumeration # Output results in CSV format # Disable DNS resolution for discovered subdomains # Disable HTTP(S) request checks for discovered subdomains # Disable checking for subdomain takeover vulnerabilities # Display detailed results in the console
python3 oneforall.py --target example.com run
python3 oneforall.py --targets ./domains.txt run
python3 oneforall.py --target example.com --alive False run
python3 oneforall.py --target example.com --brute False run
python3 oneforall.py --target example.com --port medium run
python3 oneforall.py --target example.com --fmt csv run
python3 oneforall.py --target example.com --dns False run
python3 oneforall.py --target example.com --req False run
python3 oneforall.py --target example.com --takeover False run
python3 oneforall.py --target example.com --show True run
For a deep dive into usage and commands, dive into the official documentation available at: [GitHub Documentation](https://github.com/shmilylty/OneForAll/blob/master/docs/en-us/README.md). ๐๐
This tool is your trusty sidekick in the world of bug bounties and penetration testing, making subdomain discovery a breeze! ๐ฆธโโ๏ธ๐ผ
Power of Subfinder Subdomain Enumeration ๐๐
Subfinder is a specialized tool for discovering valid subdomains of websites through passive online sources. With its streamlined, modular architecture, Subfinder is optimized for speed and efficiency. It excels in passive subdomain enumeration, focusing solely on this task with high effectiveness. ๐ปโก๏ธ
# Basic usage to find subdomains for a single domain # Find subdomains for multiple domains listed in a file # Use all available sources for enumeration (this may be slow) # Note
subfinder -d example.com -o subdomains.txt
subfinder -dL domains.txt
subfinder -d example.com -all
Flag -o subdomains.txt used to save output into text file
Widely favored among bug bounty hunters, Subfinder stands out as a top choice due to its speed and effectiveness in uncovering subdomains. ๐ฆธโโ๏ธ๐ผ
FFuF: The Furious Web Fuzzer ๐
FFuF (Fuzz Faster U Fool) is your go-to tool for lightning-fast web fuzzing, written in Go. Itโs your Swiss Army knife for brute-forcing domains, discovering directories and files, and fuzzing parameters. Just type โFUZZโ and let it do its magic! ๐๐ฅ
# Subdomain Enumeration: # Directory and File Discovery: # Want specific extension output: # Filtering by Status Codes: # Subdomain Enumeration with Verbose Output and Custom Headers:
ffuf -u http://FUZZ.example.com -w /path/to/wordlist.txt
ffuf -u http://example.com/FUZZ -w /path/to/wordlist.txt
ffuf -u http://example.com/FUZZ -w /path/to/wordlist.txt -e .php,.html,.js
ffuf -u http://example.com/FUZZ -w /path/to/wordlist.txt -mc 200,301
ffuf -u http://FUZZ.example.com -w /path/to/wordlist.txt -H "Host: example.com" -v
Bug bounty hunters swear by FFuF โ itโs their first choice for aggressive yet effective reconnaissance in penetration testing and bug hunting adventures. ๐ฆธโโ๏ธ๐
Letโs merge these files and harness the combined power of our subdomain discoveries! Together, weโll conquer the digital landscape! ๐๐
Supposed here we have used:
website crt.sh โก๏ธsave subdomainsโก๏ธ crtsh.txt file
website virustotal โก๏ธsave subdomainsโก๏ธ virustotal.txt
Tool Amass โก๏ธsave subdomainsโก๏ธ amass.txt
Tool Oneforall โก๏ธsave subdomainsโก๏ธ oneforall.txt
Tool Subfinder โก๏ธsave subdomainsโก๏ธ subfinder.txt
Tool Ffuf โก๏ธsave subdomainsโก๏ธ ffuf.txt
# combine all file
cat crtsh.txt virustotal.txt amass.txt oneforall.txt subfinder.txt ffuf.txt > final-subdomains.txt
After tidying up our list to remove duplicates, itโs time to pinpoint the active host ๐ ones โ those hosts that are ready to chat! ๐
Using httpx-toolkit: Fire up httpx for HTTP/HTTPS probing to see which targets are itching to respond to our web requests. ๐๐ต๏ธโโ๏ธ
# Example usage to find online hosts using httpx
cat targets.txt | httpx -silent
Using DNSX: Turn to dnsx for quick DNS queries to verify which hosts are proudly sporting active DNS records. ๐๐
# Example usage to find online hosts using dnsx
cat targets.txt | dnsx -silent
Take your pick and letโs uncover those live hosts! Time to knock on digital doors and see whoโs home. ๐ ๐ป
Ever wondered whatโs behind those mysterious subdomains? Let Eyewitness shed some light! ๐
EyeWitness, an open-source cyber sleuth, snaps screenshots of websites, services, and apps on specified hosts. Perfect for pen testers and bounty hunters, it swiftly uncovers and documents web apps across tons of domains or IPs. ๐ก๏ธ๐ต๏ธโโ๏ธ
EyeWitness isnโt picky โ it handles HTTP, HTTPS, RDP, VNC, and more, making it your all-in-one recon and report buddy. ๐๐ธ
# Basic Screenshot Capture from a List of URLs/subdomains: # Using with Nmap Results: # Specifying Custom Ports:
EyeWitness.py --web -f urls.txt -d output
EyeWitness.py --web -x nmap_output.xml -d output
EyeWitness.py --web -f urls.txt --ports 80,443,8080 -d output
Once done, just peek into your output folder for screenshots. Theyโre like digital Polaroids, revealing the secrets of each URL or subdomain. ๐ผ๏ธ๐ป
With this guide, you now have a solid understanding of the basics of TLD, domains, sub-domains, and how to use tools/websites like amass, subfinder, oneforall, virustotal, crt.sh etc. for effective subdomains enumeration. ๐ฏ๐ต๏ธโโ๏ธ
Stay tuned for the next part of this series, where weโll dive even deeper into advanced recon techniques and uncover more secrets of the digital world. ๐๐โจ
Until then, happy hunting and keep exploring! ๐๐ฆ