Day 017 #FromZeroToHacker – Subdomain enumeration

Time to learn the various ways of discovering subdomains to expand your attack surface of a target by finding hidden routes in a website.

Another thing you can find is me on Twitter, writing about the #FromZeroToHacker challenge 🙂

Table of contents
Introduction
What I have learnt today?
Stats
Resources

Introduction to Subdomain Enumeration

DNS Brute force

Brute force DNS (Domain Name System) enumeration is the method of trying hundreds, thousands, or more, different subdomains from a list of commonly used subdomains.

As this method is pretty exhausting, we automate this process with tools to make it faster.

GoBuster, ffuf, dirb, and dnsrecon are just a few of the many tools we can use to automate this process.

Enumerating subdomains with dnsrecon

OSINT

OSINT (Open Source INTelligence) is the collection, analysis, and dissemination of information that is publicly available for free.

SSL/TLS Certificates

When an SSL/TLS (Secure Sockets Layer/Transport Layer Security) certificate is created for a domain by a CA (Certificate Authority), the CA keeps a log of every SSL/TLS created for a domain name.

While these logs’ purpose is to stop malicious and accidentally made certificates from being used, we can use them to our advantage, as they may list subdomains belonging to a domain.

Sites like crt.sh and ui.ctsearch.entrust.com offer a database with a search feature we can use for our purposes.

Search Engines

Search engines are a great way to discover new subdomains by using Dorking, a technique used in Google search to find security holes by applying filters to searches.

For example, we can look for subdomains on Twitter by Googling -site:www.twitter.com  site:*.twitter.com

Google Dorking for Subdomain enumeration

Sublist3r

To speed up the OSINT process, we can automate all the above methods with tools like Sublist3r,

Subdomain enumeration with Sublist3r

Virtual hosts

All the methods we used are good, but what can we do when development versions of a web application are in development, and therefore, not listed in publicly accessible DNS?

Sometimes the DNS record can be stored in a private DNS server or in the developer’s machines (/etc/hosts/ in Linux machines, C:\Windows\system32\drivers\etc\hosts in Windows), mapping the domain names to IP addresses.

When a petition is made, the multiple requests include a host header. We can use this host header to monitor the response to see if we have discovered a new website.

Again, we can (and should) automate this process by using a wordlist of commonly used subdomains.

We are going to use the ffuf -w /usr/share/wordlists/SecLists/Discovery/DNS/namelist.txt -H "Host: FUZZ.acmeitsupport.thm" -u http://10.10.171.66 command, where we launch the ffuf program, using the -w switch to select the Wordlist, -H to add a header where FUZZ will be replaced with each word from the wordlist. Finally, the -u sets the URL:

Subdomain enumeration with ffuf

We got hundreds and hundreds of results, but the size is the same. Something is wrong. Let’s add the -fs switch to exclude all the results with size ‘2395’:

ffuf -w /usr/share/wordlists/SecLists/Discovery/DNS/namelist.txt -H "Host: FUZZ.acmeitsupport.thm" -u http://10.10.171.66 -fs 2395

Subdomain enumeration with ffuf

We discovered two subdomains: Delta and Yellow.

Stats

From 179.720th to 175.223th. Still in the top 9% in TryHackMe!

Here is also the Skill Matrix:

Skill Matrix

Resources

Path: Web Fundamentals

Introduction to Web Hacking

TryHackMe: Subdomain Enumeration

Other resources

DNS in detail
Automated Discovery
GoBuster
ffuf
dirb
OSINT
Dorking
crt.sh
ui.ctsearch.entrust.com
Sublist3r