πDeep-Subdomains-Enumeration-Methodology
source: https://medium.com/@shubhamrooter/deep-subdomains-enumeration-methodology-da606be0c4c3
Mastering the art of subdomain enumeration is a crucial skill for those seeking to unlock the full potential of web architecture. By systematically discovering and mapping subdomains, researchers, security professionals, and curious enthusiasts can gain valuable insights, unravel digital footprints, and fortify cyber defenses. The process entails employing various techniques and tools to navigate through the labyrinthine structures of the internet, connecting the dots that form the intricate tapestry of online presence.
Whatβs the need?
A good subdomain enumeration will help you find those hidden/untouched subdomains, resulting lesser people finding bugs on that particular domain. Hence, fewer duplicates.
Finding applications running on hidden, forgotten (by the organization) sub-domains may lead to uncovering critical vulnerabilities.
For large organizations, to find what services they have exposed to the internet while performing an internal pentest.
The methodology of collecting subdomains from tools like
amass
,subfinder
,findomain
and directly sending them to httpx/httprobe is absolutely wrong. Instead, you should first DNS resolve them using tools like puredns or shuffledns.
Enumeration
Discovering the IP space
Discovering the IP space: This step involves obtaining the Autonomous System Number (ASN) for a target domain from a website like βhttps://bgp.he.net/" and finding the IP ranges associated with that ASN using the
whois
command. The IP ranges are then saved to a file.
2. PTR records (Reverse DNS)
In this step, the IP ranges obtained in the previous step are fed into the dnsx
tool with the -ptr
option to perform reverse DNS lookups and retrieve PTR records. The results are saved to a file.
3. Favicon Search
A Python script called favfreak.py
is used to search for favicons associated with the subdomains. The script takes a list of URLs as input and outputs the favicon hash for each domain.
4. Finding related domains/acquisitions
This step involves using various sources, such as Google, Wikipedia, and the βhttps://tools.whoisxmlapi.com/reverse-whois-search" website, to discover related domains or acquisitions associated with the target domain.
use CHATGPT, Google, wikipedia,
Vertical Enumeration
Passive Enum
Subfinder [
subfinder -d test.com -o passive2.txt -all
]
It is important to add APIs to the config file to get better results. (Go see the detailed blog if u didnβt get it)
Internet Archive β district β waybackurls
Github Scraping β github-subdomains
GitLab Scraping β gitlab-subdomains
https://chaos.projectdiscovery.io/#/ β it is like database or something here u can get all subdomains for public bug bounty programs, yeah it is useless when you work in a private one.
Active Enum
DNS Brute Forcing [ using puredns]
DNS brute-forcing is performed using the puredns
tool. This involves setting up prerequisites by installing massdns
and puredns
, downloading resolvers and DNS wordlists, and then using puredns
to brute-force subdomains.
2. Permutations
Permutation techniques are used to generate variations of subdomains. Wordlists are used with the gotator
tool to create permutations, which are then resolved using puredns
.
3. Google Analytics
The AnalyticsRelationships
tool is used to find subdomains associated with a target domain based on Google Analytics tracking codes.
4. TLS, CSP, CNAME Probing
The cero
tool is used for TLS, CSP, and CNAME probing to gather additional subdomain information.
5. Scraping(JS/Source code)
: Subdomains are probed using the httpx
tool, and the obtained URLs are then fed into gospider
for web crawling. The output is cleaned and filtered to obtain the scraped subdomains.
Recursive Enumeration
This step involves performing recursive enumeration by iterating over the subdomains and using tools like subfinder
, assetfinder
, amass
, and findomain
to discover additional subdomains.
Finish Work
Finally, the obtained subdomains from different steps (horizontal and vertical enumeration) are consolidated and filtered using the httpx
tool.
Last updated