Different ways of enumerating or discovering subdomains for given domain. As we know, enumeration is the key when it comes to hacking; enumerating subdomains leads to discovering many untouched surfaces having the vulnerabilities.
Abu Dhabi Escorts Service 0508644382 Escorts in Abu Dhabi
Subdomain Enumeration
1.
2. WHAT IS A DOMAIN?
• The address where internet users can access your
website.
• Computers use IP addresses, which are a series of
number. However, it is difficult for humans to
remember strings of numbers. Because of this,
domain names were developed and used to identify
entities on the internet rather than using IP addresses.
• It can be any combination of letters and numbers.
• It can be used in combination of the various domain
name TLDs, such as com, net and more.
3. WHAT IS A SUB-DOMAIN?
• A subset, or a smaller part of a larger domain.
• A second website, with its own unique content, but there
is no new domain name.
• For example, west.example.com & east.example.com
are subdomains of the example.com domain, which in
turn is a subdomain of the com Top-Level Domain (TLD).
• The TLD is the part that occur right after the last dot in
the domain name.
• While there are several types of TLDs the most common
are com, org, net.
• the SLD or Second-Level Domain, is the part that occurs
immediately in front of the last dot in the domain name.
4. WHAT IS SUB-DOMAIN ENUMERATION?
• Its a process of finding subdomains of a
particular Domain Name.
• Well, it is not that much hard to find a
subdomain of a website.
• Various techniques and tools are available
for enumerating subdomains.
• Much you DIG much you ENUMERATE!!
5. WHY SUB-DOMAIN ENUMERATION?
• Enumerating subdomains is crucial step of reconnaissance, as they may point to
different parts of a web application or may lead to another website hosted on another
server with a different IP address. This allows you to come up with an accurate public
network profile for the target organization.
• The more subdomains you find, the more likely it is you will find a vulnerability you
can exploit. at the very least it might provide a lead which you can pursue in hopes of
finding a way inside the network.
• Sub-domain enumeration can reveal a lot of sub-domains that are in scope of a security
assessment which in turn increases the chances of finding vulnerabilities.
6. SUB-DOMAIN ENUMERATION TECHNIQUES
PUBLIC RESOURCES
• SEARCH ENGINE
• VIRUS TOTAL
• PENTEST-TOOLS
• HACKER TARGET
TOOLS
• DNSENUM
• SUBLIST3R
• KNOCKPY
• DNSRECON
• FIERCE
There are many ways to locate or find subdomains by using some public
resources or by using some tools. Let’s have a look into it one-by-one.
7. FINDING SUB-DOMAIN USING PUBLIC
RESOURCES
SEARCH ENGINES
• An easy way to find subdomain without using any tool is by using the search engines.
• Search engines like Google and Bing supports different types of advance “search
operators” to filter search quires. These advanced operators are also know as “dorks”.
• Google also supports additional minus operator to remove sub-domains that we are not
interested in “site: paypal.com -inurl:www”
8. FINDING SUB-DOMAIN USING PUBLIC
RESOURCES
• VirusTotal runs its own particular uninvolved DNS replication benefit,
worked by putting DNS resolutions performed when going by URLs
presented by clients.
• To enumerate subdomains using VirusTotal’s service, you just simply have
to enter the domain name in the search box.
• List of subdomains will be displayed in few seconds.
VirusTotal
9. FINDING SUB-DOMAIN USING PUBLIC
RESOURCES
PENTEST-TOOLS
• Pentest-Tools as a reference is a place for penetration testers where they
can find online tools to use in their engagements.
• Its majorly being used for Passive Reconnaissance.
• Pentest tools is another website which works same as VirusTotal where we
can get great number of subdomains.
• Pentest-tools offer many services, one of which is Find Subdomains.
10. FINDING SUB-DOMAIN USING PUBLIC
RESOURCES
HACKER TARGET
• HackerTarget is another site, built for Passive Information gathering.
• It’s the place where you can enter a domain name and look for its DNS host
records. This will dump out all subdomains related with that domain.
• Normally, this site’s results are limited to a maximum of 2000 outcomes.
11. FINDING SUB-DOMAIN USING TOOLS
• While there are many public resources available for subdomain enumeration, sometimes running
programs or scripts from our local machine will turn out to be a bonus.
• These tools include performing DNS queries to gather Host Record (A), performing brute-force with
possible subdomains permutation and combination.
• The tools we will be looking in the part are all Open Source Tools.
• Majority of them are available to be downloaded from GitHub. (git clone is your friend)
12. DNSENUM
• dnsenum is a tool for DNS Enumeration, which is the process of locating all DNS servers
and DNS entries for a domain.
• Given a domain name, the dnsenum will start querying the DNS servers of the domain.
• The first data that we get is the Host Address (this will also contain subdomains). Next,
we see the Name Servers which will give us an idea of the hosting provider that the
domain is utilising and after that the MX Record where we can see the mail server of our
target host.
FINDING SUB-DOMAIN USING TOOLS
Download Link : https://github.com/fwaeytens/dnsenum
Usage: ./dnsenum.pl [Options] <domain>
13. SUBLIST3R
FINDING SUB-DOMAIN USING TOOLS
• Sublist3r enumerate subdomains of a given using various passive techniques
as well as active techniques.
• Which includes, using search engines like Google, Yahoo, Bing, Baidu, Ask,
etc.
• Sublist3r also enumerates subdomains using Passive enumeration techniques.
For which, it usese Public resources like Netcraft, Virustotal, ThreatCrowd,
DNSdumpster, and ReverseDNS.
• Its not limited till Passive reconnaissance, the tools also focuses on gathering
subdomains from DNS records, brute-forcing, etc.
Download Link : https://github.com/aboul3la/Sublist3r
Usage: python sublist3r.py -d <domain> [Options]
14. • Knockpy is a python tool designed to enumerate subdomains on a target domain
through a wordlist.
• Its designed to scan for DNS Zone Transfer and to try to Bypass the Wildcard DNS
record automatically, if it is enabled.
• It internally uses a wordlist file which comes with the tool to brute force. But, we can
also have our own wordlist to brute force the domain.
• Currently knockpy also supports queries to virus total subdomains, you can set the
api_key within the config.json file for better results.
Download Link : https://github.com/guelfoweb/knock
Usage: python knockpy.py <domain> [Options]
FINDING SUB-DOMAIN USING TOOLS
KNOCKPY
15. • dnsrecon is a python-based tool. It was designed with the purpose of
enumerating DNS information about a domain.
• In order to find subdomain using this tool all we have to do is, to give a name
list and it will try to resolve the A, AAAA and CNAME records against the
domain by trying each entry one by one.
• dnsrecon comes pre-installed with Kali Linux.
dnsrecon -d <domain> [Options]
FINDING SUB-DOMAIN USING TOOLS
DNSRECON
Usage:
16. • Fierce is another pre-installed tool in Kali Linux. Its used for DNS Reconnaissance.
• Its original purpose of this tool is to identify DNS records for a given domain.
• Fierce first identifies authoritative DNS Servers for the target domain specified. Then
it attempts is a zone transfer for all domains from each Authoritative DNS server.
• Fierce also uses brute-force method to enumerate host records, so finds out the
subdomains for a given domain.
fierce –dns <domain>Usage:
FIERCE
FINDING SUB-DOMAIN USING TOOLS