Subdomain Enumeration: The Ultimate Guide

Subdomain Enumeration

At a Glance

Sub-domain enumeration is the process of finding sub-domains for one or more domains. It helps to broader the attack surface, find hidden applications, and forgotten subdomains.

Note: Vulnerabilities tend to be present across multiple domains and applications of the same organization.

Passive Enumeration

Active Enumeration

Tools

Amass 1

amass enum -passive -d example.com -o results.txt
Parameters
  • --passive: Disable DNS resolution names and dependent features.
  • -d: Domain names separated by commas.
  • -o: Path to the text file containing terminal stdout/stderr.

sublist3r 2

sublist3r -d example.com

Certificate Transparency

Certificate Transparency (CT) is an Internet security standard and open-source framework for monitoring and auditing digital certificates. It creates a system of public logs to record all certificates issued by publicly trusted CAs, allowing efficient identification of mistakenly or maliciously issued certificates.3

Some CT Logs search engines:

massdns 4

./scripts/ct.py example.com | ./bin/massdns -r ./lists/resolvers.txt -o S -w results.txt
Parameters
  • -r: Text file containing DNS resolvers.
  • -o: Flags for output formatting.
  • -w: Write to the specified output file.

crt.sh PostgreSQL Interface

#!/bin/sh

query="SELECT ci.NAME_VALUE NAME_VALUE FROM certificate_identity ci WHERE ci.NAME_TYPE = 'dNSName' AND reverse(lower(ci.NAME_VALUE)) LIKE reverse(lower('%.$1'));"

(echo $1; echo $query | \
    psql -t -h crt.sh -p 5432 -U guest certwatch | \
    sed -e 's:^ *::g' -e 's:^*\.::g' -e '/^$/d' | \
    sed -e 's:*.::g';) | sort -u

Google Dorking

Use the site: operator to filter results for the given domain. Generally, “*” matches any token, meaning, an entire term without spaces.

site:*.example.com

Note: Other search engines, like Bing and DuckDuckGo, offer similar advanced search operators:

DNS Aggregators

ASN Enumeration

Refer to ASN Enumeration

Subject Alternate Name (SAN)

Subject Alternative Name (SAN) is an extension to X.509 that allows additional values to be associated with an SSL certificate. These values, or Names, include email addresses, URIs, DNS names, directory names, and more. 6

OpenSSL 7

true | openssl s_client -connect example.com:443 2>/dev/null | openssl x509 -noout -text  | perl -l -0777 -ne '@names=/\bDNS:([^\s,]+)/g; print join("\n", sort @names);'
Parameters
  • s_client: SSL/TLS client program.
  • x509: output a x590 structure instead of a certificate request.
  • -noout: Inhibits the output of the encoded version of the parameters.
  • -text: Prints out the EC parameters in human readable form.

Rapid7 Forward DNS dataset

The dataset contains the responses to DNS requests for all forward DNS names known by Rapid7’s Project Sonar.

Download Rapid7 Forward DNS datasets.

Brute Force Enumeration

Useful Wordlists:

Amass 1

amass enum -brute -w subdomains.txt -d example.com -o results.txt
Parameters
  • -brute: Execute brute forcing after searches.
  • -w: Path to wordlist file.
  • -d: Domain names separated by commas.
  • -o: Path to the text file containing terminal stdout/stderr.

massdns 4

./scripts/subbrute.py subdomains.txt example.com | ./bin/massdns -r ./lists/resolvers.txt -o S -w results.txt
Parameters
  • -r: Text file containing DNS resolvers.
  • -o: Flags for output formatting.
  • -w: Write to the specified output file.

gobuster 8

gobuster dns -t 30 -w subdomains.txt -d example.com
Parameters
  • dns: DNS subdomain bruteforcing mode.
  • -d: target domain.
  • -t <n>: number of concurrent threads (default 10).
  • -w <wordlist>: path to the wordlist.

DNS

Zone Transfer

DNS zone transfer is one mechanism to replicate DNS databases across DNS servers.

Note: Data transfer process begins by the client sending a AXFR query to the server.

More under DNS Service Enumeration Zone Transfers

dnsrecon 9

dnsrecon -a -d tesla.com
Parameters
  • -a: Perform AXFR with standard enumeration.
  • -d: Domain.

dig

dig axfr @ns1.example.com example.com
Parameters
  • axfr: initiate an AXFR zone transfer query.
  • @ns1.example.com: name or IP of the server to query.
  • example.com: name of the resource record that is to be looked up.

CNAME Records

A Canonical NAME record (CNAME) is a type of DNS record that maps one domain name (an alias) to another (the canonical name).

CNAMEs may reveal an organization’s sub-domains and information about running services.

dig

dig +short -x `dig +short example.com`
Parameters
  • +short: Provide a terse answer.
  • -x <addr>: Simplified reverse lookups, for mapping addresses to names.

SPF Records

A Sender Policy Framework record (SPF) is a type of TXT DNS record used as an email authentication method. It specifies the mail servers authorized to send emails for your domain.

SPF helps protect domains from spoofing.

Note: Applications may have internal netblocks listed in their SPF record.

dig

dig +short TXT example.com
Parameters
  • +short: Provide a terse answer.

HTTP Headers

Content Security Policy (CSP)

The HTTP Content-Security-Policy response header allows website administrators to control resources the browser is allowed to load for a given page.

Note: There are deprecated forms of CSP headers, they are X-Content-Security-Policy and X-Webkit-CSP

curl

curl -I -s -L https://www.maxrodrigo.com | grep -iE 'Content-Security|CSP'
Parameters
  • -I: Fetch the headers only.
  • -s: Quiet mode.
  • -L: Follow 3XX redirections.

Further Reading


  1. “GitHub - OWASP/Amass: In-Depth Attack Surface Mapping and Asset Discovery.” GitHub, https://github.com/OWASP/Amass. ↩︎

  2. aboul3la. “GitHub - Aboul3la/Sublist3r: Fast Subdomains Enumeration Tool for Penetration Testers.” GitHub, https://github.com/aboul3la/Sublist3r. ↩︎

  3. “What Is Certificate Transparency?” Certificate Transparency, https://www.certificate-transparency.org/what-is-ct. ↩︎

  4. blechschmidt. “GitHub - Blechschmidt/Massdns: A High-Performance DNS Stub Resolver for Bulk Lookups and Reconnaissance.” GitHub, https://github.com/blechschmidt/massdns. ↩︎

  5. “VirusTotal += Passive DNS Replication .” VirusTotal Blog, https://blog.virustotal.com/2013/04/virustotal-passive-dns-replication.html. ↩︎

  6. OpenSSL Foundation, Inc. “X509v3_config.” OpenSSL, https://www.openssl.org/docs/manmaster/man5/x509v3_config.html#Subject-Alternative-Name. ↩︎

  7. OpenSSL Foundation, Inc. “/Docs/Manmaster/Man1/Openssl.Html.” OpenSSL.Org, https://www.openssl.org/docs/manmaster/man1/openssl.html. ↩︎

  8. Reeves, OJ. “GitHub - OJ/Gobuster.” GitHub, https://github.com/OJ/gobuster. ↩︎

  9. darkoperator. “GitHub - Darkoperator/Dnsrecon: DNS Enumeration Script.” GitHub, https://github.com/darkoperator/dnsrecon. ↩︎