Subdomains Enumeration: what is, how to do it, monitoring automation using webhooks and centralizing your findings
If you are reading this article is possible that you:
- Are interested in learning what is and how to do subdomains enumeration.
- Want to know how to automatize subdomains monitoring.
- Want to centralize your findings in one place.
- Want to get the new data automatically published using webhooks.
Having a tool that can do all this isn’t easy, but do not despair: Findomain exists.
Before working with Findomain, I will tell you the basics.
What is a Subdomain Enumeration process?
First, I need to tell you what is a subdomain. According to Wikipedia:
Yes, that’s right. When you see a domain like example.org and then you see in another place drugs.example.org you’re seeing a subdomain. In more practical words, subdomains are like having a enterprise and their dependencies where the enterprise is the domain and the dependencies are the subdomains. A more technical explanation can be found here.
Most domains have at least a couple of subdomains, they are used to organize topics, for example having a blog for example.org in the blog.example.org subdomain, a forum in forum.example.org or for another tasks like a subdomain called mail.example.org to route mail traffic, etc. Having a big number of subdomains can lead to security problems if they are not managed well enough and that’s what usually happens with companies (but not limited to) that have tens, hundreds, or thousands of subdomains. It is not easy to track them one by one and they end up running outdated software, having miss-configurations, and bad security policies.
With subdomain enumeration you will find the highest quantity of subdomains for a target domain either for security testing, crawling, subdomain takeover checks, or another task. Subdomain enumeration is one of the most important steps while doing security tests to a target domain.
How to do Subdomain Enumeration?
Now that we know what is a subdomain enumeration and why it is so important, the next step is knowing how to do it. There are many subdomain enumeration tools, some better than others. In this post I am using Findomain, a tool that I have written in Rust from scratch, does not use bruteforce methods, it is the fastest compared with existing subdomains enumeration tools, is very light with resource consumption, can be installed in any architecture or operative system (including phones, tablets, etc) and allow you to do a lot of interesting things. If you are interested in getting Findomain, it is open source and can be downloaded from https://github.com/Edu4rdSHL/findomain. Let’s do it!
If you want to know just what subdomains have a target, in it case example.org, just run
findomain -t example.org and you will got in a couple of seconds…
$ findomain -t example.orgTarget ==> example.orgSearching in the CertSpotter API... 🔍
Searching in the Crtsh database... 🔍
Searching in the Virustotal API... 🔍
Searching in the Sublist3r API... 🔍
Searching in the Spyse API... 🔍
Searching in the Facebook API... 🔍
Searching in the Threadcrowd API... 🔍
Searching in the Bufferover API... 🔍
Searching in the Virustotal API using apikey... 🔍morev.example.org
... snipA total of 65 subdomains were found for ==> example.org 👽Good luck Hax0r 💀!
65 subdomains were found for example.org!
If you want to search for a list of domains you can put they into a text file, every domain in a line and run
findomain -f domains.txt and Findomain will search subdomains for every domain in the file.
That is the most basics Findomain usage, if you want for example to run Findomain and only show resolvable domains (that have a public IP), you must execute
findomain -t example.org -r and Findomain will show to you only subdomains that have a public IP address and can be accessed from where you are. Findomain will print all of the found subdomains in the screen or in a output file as described below.
If you want to use all APIs, you need to configure some things. Please see the Findomain documentation to configure needed access tokens for some APIs, it will improve the number of subdomains found.
If you want to write to an output file, you have two options:
- Give to Findomain the control of the output file names using the
-oflag. If you run
findomain -t example.org -othe resulting file name will be called
example.org.txtin it case but even follows the rule
domain string+.txt. Have in mind that if you are reading subdomains from a file every domain will have their own output file.
- The other option is using the
-uflag and giving your own name to a unique output file still if Findomain is reading domains from a text file. If you run
findomain -t example.org -u myfile.txtor
findomain -f domains.txt -u myfile.txtin both cases the output filename is
myfile.txt. It’s specially useful if you are working with a list of domains into a file and want to save all data into a unique output file for further tests.
Now that we know what is subdomain enumeration and why it is so important, the next step is knowing how to do it.
Subdomain Monitoring automation and publishing to webhooks
At the moment we know that example.org have 65 subdomains but what happens if we want to know when and what new subdomains are added? Well, you can save the last results into a file and then run the tool again and check the difference between the two files… not very practical, true? Yes, doing that sucks, imagine that we are going to monitor 1000 subdomains, doing that task manually for every domain is really a waste of time. But there’s another good notice for you: Findomain can monitor a subdomain (using the
-t option) or X number of subdomains (putting they in a file and using the
-f option). First I will explain to you how it works.
Findomain can do subdomains monitoring if you pass the
-m flag. Anyways, the tool need to have some prerequisites before using it:
- The PostgreSQL relational database needs to be installed in at least one of your devices (PC/Server/Phone). The PostgreSQL software is multi-platform and can be installed in GNU/Linux, Windows, Macintosh, Termux and more. See https://www.postgresql.org/download/ if you can’t find the package in your distribution repository’s for GNU/Linux or if you are in another OS.
- A Discord/Slack or Telegram webhook configured. Note: You need a Discord, Slack or Telegram account in order to create webhooks. If you think that another platform should be supported, open an issue in https://github.com/Edu4rdSHL/findomain/issues.
- A job scheduler if you want to run Findomain automatically in your system. See the documentation.
When you have completed the requirements, continue with the next steps.
Configuring Findomain for the subdomains monitoring automation.
Findomain does some checks before starting with the monitoring process. These checks are:
- Check if at least one of the
findomain_telegrambot_chat_idsystem variables are set. They are needed to publish the results of the monitoring task.
- Check if the connection to the PostgreSQL database can be performed correctly.
If these checks are passed, the tool will start working.
See the following examples to have a idea of how you can start Findomain in the monitoring mode.
- GNU/Linux, Mac, Termux.
$ export findomain_discord_webhook='https://discordapp.com/api/webhooks/XXXXXXXXXXXXXXX'
$ export findomain_slack_webhook='https://hooks.slack.com/services/T00000000/B00000000/XXXXXXXXXXXXXXXXXXXXXXXX'
$ export findomain_telegrambot_token="Your_Bot_Token_Here"
$ export findomain_telegrambot_chat_id="Your_Chat_ID_Here"
$ findomain -m -t example.org --postgres-host 192.168.1.73 --postgres-port 5432 --postgres-database findomain --postgres-user findomain --postgres-password postgres
> set findomain_discord_webhook=https://discordapp.com/api/webhooks/XXXXXXXXXXXX
> set findomain_slack_webhook=https://hooks.slack.com/services/T00000000/B00000000/XXXXXXXXXXXXXXXXXXXXXXXX
> set findomain_telegrambot_token=Your_Bot_Token_Here
> set findomain_telegrambot_chat_id=Your_Chat_ID_Here
> findomain -m -t example.org --postgres-host 192.168.1.73 --postgres-port 5432 --postgres-database findomain --postgres-user postgres --postgres-password postgres
If you don’t set some of the options, Findomain will use default values. See the documentation for more info. Additionally if you are going to run the tool in your current computer you only need to set the
--postgres-password and the
—-postgres-user option — only if the user is different to postgres — example:
$ findomain -t example.org -m --postgres-password 1234
Or if you don’t have any password and the user is postgres:
$ findomain -t example.org -m
To use a list of domains instead of only a domain, change the
-t option for the
When you execute the command, internally the following events occur:
- The checks mentioned before are done.
- Connection to the PostgreSQL database.
- Search in the APIs and save the results as a current subdomains variable.
- Database query to search if there are existing subdomains associated with the current target domain and save the results as a existing subdomains variable.
- Comparison of existing subdomains with the current subdomains and check what is in current subdomains that aren’t in the existing subdomains and save the results into a new subdomains variable.
- Format the data and publish the new subdomains to webhooks.
- If the publish is successful then prepare the SQL transaction and commit new subdomains to the database, otherwise show the error message without doing the database commit.
The mentioned steps are repeated every-time the tool runs for every domain target.
If new subdomains were found, Findomain will publish the following message to the webhooks:
If not data is found, Findomain will send the following alert:
The next step to complete the automation is set up a job scheduler. In internet are available a lot of tutorials about configuring jobs schedulers, found one for you or read the Findomain documentation. I’m going to give you a simple example of how to set up a systemd timer in Linux that do the work.
- Create the file
/usr/lib/systemd/user/findomain.serviceand put the following content there:
ExecStart=bash -c "findomain_virustotal_token='Your Virustotal token here' findomain_fb_token='Your Facebook token here' findomain_discord_webhook='Your Discord webhook URL here' findomain_slack_webhook='Your Slack webhook URL here' findomain_telegrambot_token='Your_Bot_Token_Here' findomain_telegrambot_chat_id='Your_Chat_ID_Here' findomain -f /path/to/domains.txt -m --postgres-host Host-IP-or-name-here --postgres-port Host-postgresql-port-here --postgres-user postgresql-username --postgres-password postgresql-password --postgres-database postgresql-database-name"
- Create the file
/usr/lib/systemd/user/findomain.timerand put the following content there:
Description=Check for new subdomains.[Timer]
- Run the command:
systemctl --user start findomain.timer && systemctl --user enable findomain.timer
That will run Findomain every 24 hours (1d) and 10 minutes (10min) before the system is booted (first time).
That’s all, you have completed the subdomains monitoring automation using Findomain.
Centralizing your subdomain findings
We have learned how to enumerate subdomains, use files as a list of domains, monitor subdomains, publish data to webhooks, save the data to a database and more using our local computer as client/server… but what if I say to you that we can use a central server with PostgreSQL installed and use Phones, PC’s, Tablets, Virtual Machines or whatever as clients to monitor subdomains but having all the data only in a database? Yes, that’s possible to do with Findomain too.
You need to have a machine running PostgreSQL and configured to be accessible from anywhere (if you want to access from public IPs) or from specific IPs. In our case we are going to use a machine into our local network as central server with the IP 192.168.1.73 and the following machines as clients: Android 9 Phone, Windows 10 and BlackArch Linux virtual machines.
If you want to learn how to make your database accessible from external machines, follow it link.
Now, I will run the clients mentioned before and see what happens.
Android 9 Phone.
According to the webhooks, it has found 180 subdomains for example.com in the first run.
Lets see what is in our remote database…
Well, the 180 subdomains are now in our database. Lets see how it works on Windows and BlackArch but using different targets.
According to the reported data, we should have 272 subdomains in our central database.
That’s how you can centralize all your findings across all devices that you want. In our case we used a local server but you can buy your VPS and connect to it from any device as client.
I hope that you, dear lector, have enjoyed reading this article but above all, it has been useful in your learning/working process. Follow me in:
Give a clap to the article, share it and give a star to the Github project repository.
If you found a issue in the Findomain tool or want a new feature, feel free to open an issue in the repository. Coming features are:
- Option to query the central database and get the domains from there.
- Show the IP address of the resolved subdomains (it was implemented a time and then was removed and replaced by the -r option, now the -i will be a complement for it).
Until a next opportunity.