■ ■ ■ ■ ■ ■
CyberSecurity/Web/100BugBountySecrets/secrets/secret12.md
1 1 # Subdomain Enumeration Techniques 🔮 2 2 3 + ### 1. Certificate Transparency 4 + - Certificate transparency logs all the entries of the issued certificates in an inventory. This includes domain names, sub-domain names, and email addresses. This is publicly available to everyone. 5 + - CT logs search engines:<br> 6 + [https://crt.sh/](https://crt.sh/)<br> 7 + [https://censys.io/](https://censys.io/)<br> 8 + [https://developers.facebook.com/tools/ct/](https://developers.facebook.com/tools/ct/)<br> 9 + [https://google.com/transparencyreport/https/ct/](https://google.com/transparencyreport/https/ct/)<br> 10 + [https://sslmate.com/certspotter/](https://sslmate.com/certspotter/)<br> 11 + <br> 3 12 13 + ### 2. Search Engines 14 + The “Site:” operator which was used to search domain and subdomains was working in the below-mentioned search engines: 15 + - Google 16 + - Bing 17 + - Yahoo 18 + - Yandex 19 + - Duckduckgo 20 + - Aol 21 + <br> 4 22 23 + ### 3. Online DNS Tools 24 + I found 9 sub-domain enumeration services: 25 + - [https://decoder.link/](https://decoder.link/) 26 + - [https://searchdns.netcraft.com/](https://searchdns.netcraft.com/) 27 + - [https://dnsdumpster.com/](https://dnsdumpster.com/) 28 + - [https://www.virustotal.com/gui/home/search](https://www.virustotal.com/gui/home/search) 29 + - [https://pentest-tools.com/information-gathering/find-subdomains-of-domain#](https://pentest-tools.com/information-gathering/find-subdomains-of-domain#) 30 + - [https://findsubdomains.com/](https://findsubdomains.com/) 31 + - [https://hackertarget.com/find-dns-host-records/](https://hackertarget.com/find-dns-host-records/) 32 + - [https://www.pkey.in/tools-i/search-subdomains](https://www.pkey.in/tools-i/search-subdomains) 33 + - [https://spyse.com/](https://spyse.com/) 34 + <br> 5 35 36 + ### 4. ASN (Autonomous System Number) 37 + - An autonomous system number is a unique number that is given to an Autonomous system and which is assigned by IANA (Internet Assigned Numbers Authority). 38 + - Online tools to find ASN number:<br> 39 + [https://www.radb.net/query?](https://www.radb.net/query?)<br> 40 + [https://bgp.he.net/](https://bgp.he.net/)<br> 41 + [https://mxtoolbox.com/asn.aspx](https://mxtoolbox.com/asn.aspx)<br> 42 + [https://hackertarget.com/as-ip-lookup/](https://hackertarget.com/as-ip-lookup/)<br> 43 + [http://whois.domaintools.com/](http://whois.domaintools.com/)<br> 44 + [https://who.is/](https://who.is/)<br> 45 + [https://asn.cymru.com/cgi-bin/whois.cgi](https://asn.cymru.com/cgi-bin/whois.cgi)<br> 46 + - Online tools to find IP pool from ASN number:<br> 47 + [https://bgp.he.net/](https://bgp.he.net/)<br> 48 + [https://mxtoolbox.com/asn.aspx](https://mxtoolbox.com/asn.aspx)<br> 49 + [https://hackertarget.com/as-ip-lookup/](https://hackertarget.com/as-ip-lookup/)<br> 6 50 <br> 51 + 52 + ### 5. Subject Alternate Name (SAN) 53 + - The multi-domain SSL certificate secures up to 250 unique domain names or subdomains and that domain/subdomains names mentioned in the Subject Alternative Names (SAN) field in the certificate. 54 + - Tools to extract domain names from SAN: 55 + OpenSSL<br> 56 + [Python Script](https://github.com/appsecco/the-art-of-subdomain-enumeration/blob/master/san_subdomain_enum.py)<br> 57 + <br> 58 + 59 + ### 6. Public Dataset (Rapid7) 60 + - Rapid7 performs Internet scanning to collect Internet-wide scan data and then publish the results publicly for free and some data is paid. 61 + - Rapid7 Datasets Link: [https://opendata.rapid7.com/](https://opendata.rapid7.com/) 62 + <br> 63 + 64 + ### 7. Brute force or Dictionary Attacks 65 + Tools: 66 + - Aquatone 67 + - Bluto-Old 68 + - DNS-Discovery 69 + - Dnssearch 70 + - Knock 71 + - Fierce 72 + - Subbrute 73 + - Amass 74 + - Dnsrecon 75 + 76 + ### 8. Zone Transfer 77 + - DNS zone transfer is the process of replication DNS database or DNS records from the primary name server to the secondary name server. 78 + - The DNS zone transfer functionality used by an adversary only when the primary name server is configured to replicate the zone information to any server. An adversary acts as a slave and asks the master for a copy of the zone records. 79 + 80 + 81 + 7 82 ## Credit 8 83 Based on [Lazy Hacker](https://lazyhacker.medium.com/subdomain-enumeration-tec-276da39d7e69)'s writeup. 9 84 <br> skipped 5 lines