Subdomain Enumeration Techniques 🔮
1. Certificate Transparency
- Certificate transparency logs all the entries of the issued certificates in an inventory. This includes domain names, sub-domain names, and email addresses. This is publicly available to everyone.
- CT logs search engines:
https://crt.sh/
https://censys.io/
https://developers.facebook.com/tools/ct/
https://google.com/transparencyreport/https/ct/
https://sslmate.com/certspotter/
2. Search Engines
The “Site:” operator which was used to search domain and subdomains was working in the below-mentioned search engines:
- Bing
- Yahoo
- Yandex
- Duckduckgo
- Aol
3. Online DNS Tools
I found 9 sub-domain enumeration services:
- https://decoder.link/
- https://searchdns.netcraft.com/
- https://dnsdumpster.com/
- https://www.virustotal.com/gui/home/search
- https://pentest-tools.com/information-gathering/find-subdomains-of-domain#
- https://findsubdomains.com/
- https://hackertarget.com/find-dns-host-records/
- https://www.pkey.in/tools-i/search-subdomains
- https://spyse.com/
4. ASN (Autonomous System Number)
- An autonomous system number is a unique number that is given to an Autonomous system and which is assigned by IANA (Internet Assigned Numbers Authority).
- Online tools to find ASN number:
https://www.radb.net/query?
https://bgp.he.net/
https://mxtoolbox.com/asn.aspx
https://hackertarget.com/as-ip-lookup/
http://whois.domaintools.com/
https://who.is/
https://asn.cymru.com/cgi-bin/whois.cgi - Online tools to find IP pool from ASN number:
https://bgp.he.net/
https://mxtoolbox.com/asn.aspx
https://hackertarget.com/as-ip-lookup/
5. Subject Alternate Name (SAN)
- The multi-domain SSL certificate secures up to 250 unique domain names or subdomains and that domain/subdomains names mentioned in the Subject Alternative Names (SAN) field in the certificate.
- Tools to extract domain names from SAN:
OpenSSL
Python Script
6. Public Dataset (Rapid7)
- Rapid7 performs Internet scanning to collect Internet-wide scan data and then publish the results publicly for free and some data is paid.
- Rapid7 Datasets Link: https://opendata.rapid7.com/
7. Brute force or Dictionary Attacks
Tools:
- Aquatone
- Bluto-Old
- DNS-Discovery
- Dnssearch
- Knock
- Fierce
- Subbrute
- Amass
- Dnsrecon
8. Zone Transfer
- DNS zone transfer is the process of replication DNS database or DNS records from the primary name server to the secondary name server.
- The DNS zone transfer functionality used by an adversary only when the primary name server is configured to replicate the zone information to any server. An adversary acts as a slave and asks the master for a copy of the zone records.
Credit
Based on Lazy Hacker's writeup.
Support
You can Follow me on twitter or