crash.software
Projects
Pull Requests
Issues
Builds
NafisiAslH-KnowledgeSharing
Code
Files
Commits
Branches
Tags
Pull Requests
Code Comments
Code Compare
Issues
Builds
Statistics
Child Projects
cra.sh
RESTful API
Projects STRLCPY NafisiAslH-KnowledgeSharing Commits 1bd0f2ab
🤬
  • ■ ■ ■ ■ ■ ■
    CyberSecurity/Web/100BugBountySecrets/secrets/secret12.md
    1 1  # Subdomain Enumeration Techniques 🔮
    2 2   
     3 +### 1. Certificate Transparency
     4 +- Certificate transparency logs all the entries of the issued certificates in an inventory. This includes domain names, sub-domain names, and email addresses. This is publicly available to everyone.
     5 +- CT logs search engines:<br>
     6 +[https://crt.sh/](https://crt.sh/)<br>
     7 +[https://censys.io/](https://censys.io/)<br>
     8 +[https://developers.facebook.com/tools/ct/](https://developers.facebook.com/tools/ct/)<br>
     9 +[https://google.com/transparencyreport/https/ct/](https://google.com/transparencyreport/https/ct/)<br>
     10 +[https://sslmate.com/certspotter/](https://sslmate.com/certspotter/)<br>
     11 +<br>&nbsp;
    3 12   
     13 +### 2. Search Engines
     14 +The “Site:” operator which was used to search domain and subdomains was working in the below-mentioned search engines:
     15 +- Google
     16 +- Bing
     17 +- Yahoo
     18 +- Yandex
     19 +- Duckduckgo
     20 +- Aol
     21 +<br>&nbsp;
    4 22   
     23 +### 3. Online DNS Tools
     24 +I found 9 sub-domain enumeration services:
     25 +- [https://decoder.link/](https://decoder.link/)
     26 +- [https://searchdns.netcraft.com/](https://searchdns.netcraft.com/)
     27 +- [https://dnsdumpster.com/](https://dnsdumpster.com/)
     28 +- [https://www.virustotal.com/gui/home/search](https://www.virustotal.com/gui/home/search)
     29 +- [https://pentest-tools.com/information-gathering/find-subdomains-of-domain#](https://pentest-tools.com/information-gathering/find-subdomains-of-domain#)
     30 +- [https://findsubdomains.com/](https://findsubdomains.com/)
     31 +- [https://hackertarget.com/find-dns-host-records/](https://hackertarget.com/find-dns-host-records/)
     32 +- [https://www.pkey.in/tools-i/search-subdomains](https://www.pkey.in/tools-i/search-subdomains)
     33 +- [https://spyse.com/](https://spyse.com/)
     34 +<br>&nbsp;
    5 35   
     36 +### 4. ASN (Autonomous System Number)
     37 +- An autonomous system number is a unique number that is given to an Autonomous system and which is assigned by IANA (Internet Assigned Numbers Authority).
     38 +- Online tools to find ASN number:<br>
     39 +[https://www.radb.net/query?](https://www.radb.net/query?)<br>
     40 +[https://bgp.he.net/](https://bgp.he.net/)<br>
     41 +[https://mxtoolbox.com/asn.aspx](https://mxtoolbox.com/asn.aspx)<br>
     42 +[https://hackertarget.com/as-ip-lookup/](https://hackertarget.com/as-ip-lookup/)<br>
     43 +[http://whois.domaintools.com/](http://whois.domaintools.com/)<br>
     44 +[https://who.is/](https://who.is/)<br>
     45 +[https://asn.cymru.com/cgi-bin/whois.cgi](https://asn.cymru.com/cgi-bin/whois.cgi)<br>
     46 +- Online tools to find IP pool from ASN number:<br>
     47 +[https://bgp.he.net/](https://bgp.he.net/)<br>
     48 +[https://mxtoolbox.com/asn.aspx](https://mxtoolbox.com/asn.aspx)<br>
     49 +[https://hackertarget.com/as-ip-lookup/](https://hackertarget.com/as-ip-lookup/)<br>
    6 50  <br>&nbsp;
     51 + 
     52 +### 5. Subject Alternate Name (SAN)
     53 +- The multi-domain SSL certificate secures up to 250 unique domain names or subdomains and that domain/subdomains names mentioned in the Subject Alternative Names (SAN) field in the certificate.
     54 +- Tools to extract domain names from SAN:
     55 +OpenSSL<br>
     56 +[Python Script](https://github.com/appsecco/the-art-of-subdomain-enumeration/blob/master/san_subdomain_enum.py)<br>
     57 +<br>&nbsp;
     58 + 
     59 +### 6. Public Dataset (Rapid7)
     60 +- Rapid7 performs Internet scanning to collect Internet-wide scan data and then publish the results publicly for free and some data is paid.
     61 +- Rapid7 Datasets Link: [https://opendata.rapid7.com/](https://opendata.rapid7.com/)
     62 +<br>&nbsp;
     63 + 
     64 +### 7. Brute force or Dictionary Attacks
     65 +Tools:
     66 +- Aquatone
     67 +- Bluto-Old
     68 +- DNS-Discovery
     69 +- Dnssearch
     70 +- Knock
     71 +- Fierce
     72 +- Subbrute
     73 +- Amass
     74 +- Dnsrecon
     75 + 
     76 +### 8. Zone Transfer
     77 +- DNS zone transfer is the process of replication DNS database or DNS records from the primary name server to the secondary name server.
     78 +- The DNS zone transfer functionality used by an adversary only when the primary name server is configured to replicate the zone information to any server. An adversary acts as a slave and asks the master for a copy of the zone records.
     79 + 
     80 + 
     81 + 
    7 82  ## Credit
    8 83  Based on [Lazy Hacker](https://lazyhacker.medium.com/subdomain-enumeration-tec-276da39d7e69)'s writeup.
    9 84  <br>&nbsp;
    skipped 5 lines
Please wait...
Page is in error, reload to recover