Skip to content

Instantly share code, notes, and snippets.

@shahmal1yev

shahmal1yev/Subdomain Enumeration Cheatsheet.md

Last active December 24, 2023 16:02
Show Gist options
  • Save shahmal1yev/e80f96d519488e9e60a512366b427e9e to your computer and use it in GitHub Desktop.
Save shahmal1yev/e80f96d519488e9e60a512366b427e9e to your computer and use it in GitHub Desktop.
Download ZIP
Subdomain Enumeration Cheatsheet
Raw
Subdomain Enumeration Cheatsheet.md

Subdomain Enumeration - Subdomen siyahılandırılması

OSINT

SSL/TLS Certificates

When an SSL/TLS (Secure Sockets Layer/Transport Layer Security) certificate is created for a domain by a CA (Certificate Authority), CA's take part in what's called "Certificate Transparency (CT) logs". These are publicly accessible logs of every SSL/TLS certificate created for a domain name. The purpose of Certificate Transparency logs is to stop malicious and accidentally made certificates from being used. We can use this service to our advantage to discover subdomains belonging to a domain, sites like https://crt.sh and https://ui.ctsearch.entrust.com/ui/ctsearchui offer a searchable database of certificates that shows current and historical results.

TryHackMe - Subdomain Enumeration Room

Search Engines

-- Google

Examples:

-- Bing

DNS Brute Force

dnsrecon

user@thm:~$ dnsrecon -t brt -d acmeitsupport.thm  
[*]  No file was specified with domains to check.  
[*]  Using file provided with tool: /usr/share/dnsrecon/namelist.txt  
[*] A api.acmeitsupport.thm 10.10.10.10  
[*] A www.acmeitsupport.thm 10.10.10.10  
[+]  2 Record Found
user@thm:~$

Sublist3r

user@thm:~$ ./sublist3r.py -d acmeitsupport.thm  
  
____ _ _ _ _ _____  
/ ___| _ _| |__ | (_)___| |_|___ / _ __  
\___ \| | | | '_ \| | / __| __| |_ \| '__|  
___) | |_| | |_) | | \__ \ |_ ___) | |  
|____/ \__,_|_.__/|_|_|___/\__|____/|_|  
  
# Coded By Ahmed Aboul-Ela - @aboul3la

[-] Enumerating subdomains now for acmeitsupport.thm  
[-] Searching now in Baidu..  
[-] Searching now in Yahoo..  
[-] Searching now in Google..  
[-] Searching now in Bing..  
[-] Searching now in Ask..  
[-] Searching now in Netcraft..  
[-] Searching now in Virustotal..  
[-] Searching now in ThreatCrowd..  
[-] Searching now in SSL Certificates..  
[-] Searching now in PassiveDNS..  
[-] Searching now in Virustotal..  
[-] Total Unique Subdomains Found:  2  
web55.acmeitsupport.thm  
www.acmeitsupport.thm  
user@thm:~$

Virtual Hosts

Some subdomains aren't always hosted in publically accessible DNS results, such as development versions of a web application or administration portals. Instead, the DNS record could be kept on a private DNS server or recorded on the developer's machines in their /etc/hosts file (or c:\windows\system32\drivers\etc\hosts file for Windows users) which maps domain names to IP addresses.

Because web servers can host multiple websites from one server when a website is requested from a client, the server knows which website the client wants from the Host header. We can utilise this host header by making changes to it and monitoring the response to see if we've discovered a new website.

Like with DNS Bruteforce, we can automate this process by using a wordlist of commonly used subdomains.

TryHackMe -Subdomain Enumeration Room

ffuf -w /usr/share/wordlists/SecLists/Discovery/DNS/namelist.txt -H "Host: FUZZ.acmeitsupport.thm" -u http://10.10.122.191
ffuf -w /usr/share/wordlists/SecLists/Discovery/DNS/namelist.txt -H "Host: FUZZ.acmeitsupport.thm" -u http://10.10.122.191 -fs {size}
cat wordlist.txt | xargs -I {} curl -H "Host: {}.acmeitsupport.com" http://acmeitsupport.com
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment