Subdomain Enumeration

Enumerating subdomains is crucial as they may point to different parts of a web application or may lead to another website hosted on another server with a different IP address. This allows you to come up with an accurate public network profile for the target organization. This process can act as a precursor to a perimeter test just before the scanning begins.

Domain vs Sub-Domain?:-

• Regular Domains are standard URLs like gamers.com.
• Sub-Domains is a unique URL that lives on your purchased domain as an extension in-front of your regular domain like supportgamers.com

Passive Sub-Domain Enumeration?:-

• In passive subdomain enumeration, an adversary or tester gathers the sub-domain information without directly connecting to the infrastructure managed by the organization.
• In this process, the adversary or tester gathers the information from third parties like, Virustotal, DNSDumpster, certificate, etc. Generally, any alerts of flags are not raised during such probing.

Passive Sub-Domain Enumeration Techniques?:-

• ?Certificate Transparency
• ?ASN Discovery
• Using Search Engines
• Using DNS aggregators (Github, Virustotal, etc)
• Using public datasets
• DNS Enumeration?using Cloudflare.

Tools and Search Engines used?:-

Spyse?:-?Subdomain?Finder by Spyse?is a handcrafted search engine that allows you to discover subdomains of any domain.

Rapid7 DNS dataSet?:- Rapid7 publicly provides its?Forward DNS dataset?repository. The DNS dataset aims to discover all domains found on the Internet. While they do a very good job, the list is definitely not complete.

Censys.io :- is an interface that allows to search for keywords in certificates and thus potentially reveal new subdomains.

https://censys.io/certificates?q=.example.com

Sublist3r?:- It is one of the most popular open source tools for subdomain enumeration. It aggregates output from many different sources such as Google, Bing, Virustotal, crt.sh

Sublist3r also uses a standalone project called subbrute. Subbrute is using the dictionary of common subdomain names in order to find a subset of subdomains that are resolvable.?To use this

Simply run :?python sublist3r.py -d example.com

Crt.sh :- Is an online service for certificate search provided by COMODO. It uses a different dataset than Censys, but the principle is the same?to find subdomains in certificates.

https://crt.sh/?=%25.example.com

The Harvester?:-?Is a Open Source intelligence gathering tool?which?finds e-mail addresses on target domains as well as subdomains and virtual hosts. However, compared to Sublist3r, it provides fewer subdomain results.

You can run theHarvester using the following command:

?python theHarvester.py -d example.com -b all