Subdomain Enumeration: The Ultimate Guide

Subdomain Enumeration #

At a Glance #

Sub-domain enumeration is the process of finding sub-domains for one or more domains. It helps to broader the attack surface, find hidden applications, and forgotten subdomains.

Note: Vulnerabilities tend to be present across multiple domains and applications of the same organization.

Passive Enumeration #

Active Enumeration #

Tools #

Amass 1 #

amass enum -passive -d -o results.txt
  • --passive: Disable DNS resolution names and dependent features.
  • -d: Domain names separated by commas.
  • -o: Path to the text file containing terminal stdout/stderr.

sublist3r 2 #

sublist3r -d

Certificate Transparency #

Certificate Transparency (CT) is an Internet security standard and open-source framework for monitoring and auditing digital certificates. It creates a system of public logs to record all certificates issued by publicly trusted CAs, allowing efficient identification of mistakenly or maliciously issued certificates.3

Some CT Logs search engines:

massdns 4 #

./scripts/ | ./bin/massdns -r ./lists/resolvers.txt -o S -w results.txt
  • -r: Text file containing DNS resolvers.
  • -o: Flags for output formatting.
  • -w: Write to the specified output file. PostgreSQL Interface #


query="SELECT ci.NAME_VALUE NAME_VALUE FROM certificate_identity ci WHERE ci.NAME_TYPE = 'dNSName' AND reverse(lower(ci.NAME_VALUE)) LIKE reverse(lower('%.$1'));"

(echo $1; echo $query | \
    psql -t -h -p 5432 -U guest certwatch | \
    sed -e 's:^ *::g' -e 's:^*\.::g' -e '/^$/d' | \
    sed -e 's:*.::g';) | sort -u

Google Dorking #

Use the site: operator to filter results for the given domain. Generally, “*” matches any token, meaning, an entire term without spaces.



Other search engines, like Bing and DuckDuckGo, offer similar advanced search operators:

DNS Aggregators #

ASN Enumeration #

Refer to ASN Enumeration

Subject Alternate Name (SAN) #

Subject Alternative Name (SAN) is an extension to X.509 that allows additional values to be associated with an SSL certificate. These values, or Names, include email addresses, URIs, DNS names, directory names, and more. 6

OpenSSL 7 #

true | openssl s_client -connect 2>/dev/null | openssl x509 -noout -text  | perl -l -0777 -ne '@names=/\bDNS:([^\s,]+)/g; print join("\n", sort @names);'
  • s_client: SSL/TLS client program.
  • x509: output a x590 structure instead of a certificate request.
  • -noout: Inhibits the output of the encoded version of the parameters.
  • -text: Prints out the EC parameters in human readable form.

Rapid7 Forward DNS dataset #

The dataset contains the responses to DNS requests for all forward DNS names known by Rapid7’s Project Sonar.

Download Rapid7 Forward DNS datasets.

Brute Force Enumeration #

Useful Wordlists:

Amass 1 #

amass enum -brute -w subdomains.txt -d -o results.txt
  • -brute: Execute brute forcing after searches.
  • -w: Path to wordlist file.
  • -d: Domain names separated by commas.
  • -o: Path to the text file containing terminal stdout/stderr.

massdns 4 #

./scripts/ subdomains.txt | ./bin/massdns -r ./lists/resolvers.txt -o S -w results.txt
  • -r: Text file containing DNS resolvers.
  • -o: Flags for output formatting.
  • -w: Write to the specified output file.

gobuster 8 #

gobuster dns -t 30 -w subdomains.txt -d
  • dns: DNS subdomain bruteforcing mode.
  • -d: target domain.
  • -t <n>: number of concurrent threads (default 10).
  • -w <wordlist>: path to the wordlist.


Zone Transfer #

DNS zone transfer is one mechanism to replicate DNS databases across DNS servers.

Note: Data transfer process begins by the client sending a AXFR query to the server.

More under DNS Service Enumeration Zone Transfers

dnsrecon 9 #

dnsrecon -a -d
  • -a: Perform AXFR with standard enumeration.
  • -d: Domain.

dig #

dig axfr
  • axfr: initiate an AXFR zone transfer query.
  • name or IP of the server to query.
  • name of the resource record that is to be looked up.

CNAME Records #

A Canonical NAME record (CNAME) is a type of DNS record that maps one domain name (an alias) to another (the canonical name).

CNAMEs may reveal an organization’s sub-domains and information about running services.

dig #

dig +short -x `dig +short`
  • +short: Provide a terse answer.
  • -x <addr>: Simplified reverse lookups, for mapping addresses to names.

SPF Records #

A Sender Policy Framework record (SPF) is a type of TXT DNS record used as an email authentication method. It specifies the mail servers authorized to send emails for your domain.

SPF helps protect domains from spoofing.

Note: Applications may have internal netblocks listed in their SPF record.

dig #

dig +short TXT
  • +short: Provide a terse answer.

HTTP Headers #

Content Security Policy (CSP) #

The HTTP Content-Security-Policy response header allows website administrators to control resources the browser is allowed to load for a given page.

Note: There are deprecated forms of CSP headers, they are X-Content-Security-Policy and X-Webkit-CSP

curl #

curl -I -s -L | grep -iE 'Content-Security|CSP'
  • -I: Fetch the headers only.
  • -s: Quiet mode.
  • -L: Follow 3XX redirections.

Further Reading #

  1. “GitHub - OWASP/Amass: In-Depth Attack Surface Mapping and Asset Discovery.” GitHub,↩︎

  2. aboul3la. “GitHub - Aboul3la/Sublist3r: Fast Subdomains Enumeration Tool for Penetration Testers.” GitHub,↩︎

  3. “What Is Certificate Transparency?” Certificate Transparency,↩︎

  4. blechschmidt. “GitHub - Blechschmidt/Massdns: A High-Performance DNS Stub Resolver for Bulk Lookups and Reconnaissance.” GitHub,↩︎

  5. “VirusTotal += Passive DNS Replication .” VirusTotal Blog,↩︎

  6. OpenSSL Foundation, Inc. “X509v3_config.” OpenSSL,↩︎

  7. OpenSSL Foundation, Inc. “/Docs/Manmaster/Man1/Openssl.Html.” OpenSSL.Org,↩︎

  8. Reeves, OJ. “GitHub - OJ/Gobuster.” GitHub,↩︎

  9. darkoperator. “GitHub - Darkoperator/Dnsrecon: DNS Enumeration Script.” GitHub,↩︎