Time to learn the various ways of discovering subdomains to expand your attack surface of a target by finding hidden routes in a website.
Another thing you can find is me on Twitter, writing about the #FromZeroToHacker challenge 🙂
| Table of contents |
| Introduction |
| What I have learnt today? |
| Stats |
| Resources |
Introduction to Subdomain Enumeration
DNS Brute force
Brute force DNS (Domain Name System) enumeration is the method of trying hundreds, thousands, or more, different subdomains from a list of commonly used subdomains.
As this method is pretty exhausting, we automate this process with tools to make it faster.
GoBuster, ffuf, dirb, and dnsrecon are just a few of the many tools we can use to automate this process.
OSINT
OSINT (Open Source INTelligence) is the collection, analysis, and dissemination of information that is publicly available for free.
SSL/TLS Certificates
When an SSL/TLS (Secure Sockets Layer/Transport Layer Security) certificate is created for a domain by a CA (Certificate Authority), the CA keeps a log of every SSL/TLS created for a domain name.
While these logs’ purpose is to stop malicious and accidentally made certificates from being used, we can use them to our advantage, as they may list subdomains belonging to a domain.
Sites like crt.sh and ui.ctsearch.entrust.com offer a database with a search feature we can use for our purposes.
Search Engines
Search engines are a great way to discover new subdomains by using Dorking, a technique used in Google search to find security holes by applying filters to searches.
For example, we can look for subdomains on Twitter by Googling -site:www.twitter.com site:*.twitter.com
Sublist3r
To speed up the OSINT process, we can automate all the above methods with tools like Sublist3r,
Virtual hosts
All the methods we used are good, but what can we do when development versions of a web application are in development, and therefore, not listed in publicly accessible DNS?
Sometimes the DNS record can be stored in a private DNS server or in the developer’s machines (/etc/hosts/ in Linux machines, C:\Windows\system32\drivers\etc\hosts in Windows), mapping the domain names to IP addresses.
When a petition is made, the multiple requests include a host header. We can use this host header to monitor the response to see if we have discovered a new website.
Again, we can (and should) automate this process by using a wordlist of commonly used subdomains.
We are going to use the ffuf -w /usr/share/wordlists/SecLists/Discovery/DNS/namelist.txt -H "Host: FUZZ.acmeitsupport.thm" -u http://10.10.171.66 command, where we launch the ffuf program, using the -w switch to select the Wordlist, -H to add a header where FUZZ will be replaced with each word from the wordlist. Finally, the -u sets the URL:
We got hundreds and hundreds of results, but the size is the same. Something is wrong. Let’s add the -fs switch to exclude all the results with size ‘2395’:
ffuf -w /usr/share/wordlists/SecLists/Discovery/DNS/namelist.txt -H "Host: FUZZ.acmeitsupport.thm" -u http://10.10.171.66 -fs 2395
We discovered two subdomains: Delta and Yellow.
Stats
From 179.720th to 175.223th. Still in the top 9% in TryHackMe!
Here is also the Skill Matrix:
Resources
Path: Web Fundamentals
Introduction to Web Hacking
TryHackMe: Subdomain Enumeration
Other resources
DNS in detail
Automated Discovery
GoBuster
ffuf
dirb
OSINT
Dorking
crt.sh
ui.ctsearch.entrust.com
Sublist3r
