Lab Access: https://tryhackme.com/room/subdomainenumeration
Subdomain Enumeration —the process of identifying valid subdomains for a domain.
[Question 1.1] What is a subdomain enumeration method beginning with B?
Answer: Brute Force
[Question 1.2] What is a subdomain enumeration method beginning with O?
Answer: OSINT
[Question 1.3] What is a subdomain enumeration method beginning with V?
Answer: Virtual Host
SSL/TLS (Secure Sockets Layer/Transport Layer Security) Certificate• Created for a domain by a CA (Certificate Authority)CA (Certificate Authority)• Take part in what’s called “Certificate Transparency (CT) logs”
Purpose of Certificate Transparency (CT) logs• Stop malicious and accidentally made certificates from being usedThese two website provides a certificate database that is searchable and displays current and historical results.http://crt.sh/
https://transparencyreport.google.com/https/certificates
[Question 2.1] What domain was logged on crt.sh at 2020–12–26?
1st - crt.sh
2nd - search "tryhackme.com"
Answer: store.tryhackme.com
Search Engines — A fantastic resource for discovering new subdomains.
- By utilizing advanced search strategies on websites such as Google
Method:
• site:filter > can narrow the search results
• -site:www.domain.com site:*.domain.comExample:
• -site:www.tryhackme.com site:*.tryhackme.com
[Question 3.1] What is the TryHackMe subdomain beginning with B discovered using the above Google search?
Answer: blog.tryhackme.com
Bruteforce DNS (Domain Name System) Enumeration
- By attempting tens, hundreds, thousands, or even millions of unique subdomains from a pre-defined list of frequently used subdomains, and it automates it with a tool to speed up the procedure.
Tool:
• dnsreconIf you're running Kali Linux, it's already pre-installed, and you can go to the "terminal" and type "dnsrecon" to see how to use it.
[Question 4.1] What is the first subdomain found with the dnsrecon tool?
Answer: api.acmeitsupport.thm
It expedites the process of discovering OSINT subdomains.
1st - Install sublist3r in Kali Linux
• sudo apt install sublist3r2nd Run sublist3r
• type: sublist3r
[Question 5.1] What is the first subdomain discovered by sublist3r?
Answer: web55.acmeitsupport.thm
Subdomains aren’t usually hosted in DNS results that are publicly accessible, such as:
- development versions of a web application
- administration portals
DNS records can be stored on a private DNS server or on the developer’s workstations in the /etc/hosts file (or c:\windows\system32\drivers\etc\hosts file for Windows users), which translates domain names to IP addresses.
Web servers can host numerous websites from a single server. • When a client requests a website, the server determines which website the client wants based on the Host Header.
What we can do:
- Make use of this host header by modifying it and checking the response to see whether we’ve discovered a new website, and it’s very similar to DNS Brute Force in that it uses a tool to seek it out and automates the process.
Tool:
• ffufIt comes pre-installed with Kali LinuxExample:
• ffuf -w /usr/share/wordlists/SecLists/Discovery/DNS/namelist.txt -H "Host: FUZZ.acmeitsupport.thm" -u http://<domain name/ip address>Switches:
-w > wordlist
-H > adds/edits a header
-u > url
-fs > tells ffuf to ignore any results that are of the specified size
[Question 6.1] What is the first subdomain discovered?
Notice that there are numerous reports with the “Size” of “2395” and that you should then filter out the “2395” to see what the result could be.
Method: • ffuf -w namelist.txt -H "Host: FUZZ.acmeitsupport.thm" -u http://10.10.186.57 -fs 2395By including the switch "-fs" and the value "2395," it will filter and eliminate all of the "2395"
Answer: delta
[Question 6.2] What is the second subdomain discovered?
Answer: yellow
CONCLUSION
Without a doubt, “enumeration” is one of the most significant aspects in PenTesting, and thus “subdomain enumeration” will serve to highlight what possibilities we can take note of and tap on.
Having the results will allow us to understand how the web application works in this case, as well as whether there are any other directories or folders that we can dig at and “recon” any further.
Using the given tool helps to reduce the time required and only helps to complete the task successfully.
Cheers! ◡̈