Subdomain enumeration

Methods to discover the subdomain of a root domain.

Certificate Transparency (CT) logs

Google dorks

dnsrecon

Basic command:

$ dnsrecon -t brt -d <domain>

Flags

-t: brt - Brute force domains and hosts using a given dictionary

-d : Domain to brute-force

sublist3r

sublist3r enumerates subdomains by utilizing many search engines such as Google, Yahoo, etc. and other services such as Netcraft, VirusTotal, etc.

Basic command:

$ sublist3r -d <domain>

Flags

-d: Domain to brute-force

ffuf

Ffuf can be utilized to fuzz the virtual hosts of an IP address. The HTTP Host header can be modified with different values to discover open virtual hosts.

$ ffuf -w ~/wordlists/namelist.txt -H "Host: FUZZ.domain.com" -u <target_url>

Flags

-w: Path to wordlist

-H: HTTP header to append to request

-u: Target URL

fs flag

Some web server may return a default status code and content for multiple virtual host addresses. These addresses will return a valid response to ffuf, causing it to be picked up as an active host. This may pollute the results, as these hosts may not actually be a functioning service.

The -fs flag can be used to filter out response sizes (of a fixed and predictable value), to remove the invalid default responses.

$ ffuf ... -fs <response_size>

amass

Basic command for subdomain enumeration:

$ amass enum -d <domain>

PreviousDirectories/URLs gathering NextFile inclusion

Last updated 1 month ago