Subdomain enumeration

Methods to discover the subdomain of a root domain.

Certificate Transparency (CT) logs

crt.sh | Certificate Searchcrt.sh

Google dorks

Google dorks | Penetration testing & ethical hacking conceptsjarrettgxz-sec.gitbook.io

dnsrecon

Basic command:

$ dnsrecon -t brt -d <domain>

Flags

-t: brt - Brute force domains and hosts using a given dictionary

-d : Domain to brute-force

sublist3r

sublist3r enumerates subdomains by utilizing many search engines such as Google, Yahoo, etc. and other services such as Netcraft, VirusTotal, etc.

Basic command:

$ sublist3r -d <domain>

Flags

-d: Domain to brute-force

sublist3r | Kali Linux ToolsKali Linux

ffuf

Ffuf can be utilized to fuzz the virtual hosts of an IP address. The HTTP Host header can be modified with different values to discover open virtual hosts.

$ ffuf -w ~/wordlists/namelist.txt -H "Host: FUZZ.domain.com" -u <target_url>

Flags

-w: Path to wordlist

-H: HTTP header to append to request

-u: Target URL

fs flag

Some web server may return a default status code and content for multiple virtual host addresses. These addresses will return a valid response to ffuf, causing it to be picked up as an active host. This may pollute the results, as these hosts may not actually be a functioning service.

The -fs flag can be used to filter out response sizes (of a fixed and predictable value), to remove the invalid default responses.

$ ffuf ... -fs <response_size>

amass

Basic command for subdomain enumeration:

$ amass enum -d <domain>

GitHub - owasp-amass/amass: In-depth attack surface mapping and asset discoveryGitHub