Hacking with Subdomain3

Subdomain3 is great tool that can be used to discover subdomains that belong to a website. The tool is written in Python3.

The first task when hacking any target is, doing reconnaissance on the target. This means finding as much as you can about the target such as all the services that they are running, all the associated subdomains, the open ports on the target.

A subdomain is a domain that is apart of another domain. A example of what a subdomain is shown below. This guide assumes that you are installing Subdomain3 on a Linux system. This tool can also be installed on Windows.
The first part will explain how to install Subdomain3. If you already have it installed you can skip the first part of this guide.

api.coca-cola.com

When installing Subdomain3 you have two options. The first options is using git clone , the other option is to download the zip file and then unzip the zip file.

If you want to use git clone, then the first step is installing git on the computer. This step can can be skipped if you already have git installed.

sudo apt-get install git

The following command will install git on your system.

sudo apt-get install python3

Next we have to install Python3. This can be done by running the command above. The next step will download Subdomain3 using git.

git clone https://github.com/yanxiu0614/subdomain3.git

Next run the command above, this will download the source code of Subdomain3.

cd subdomain3

The command above will cd into the subdomain3 directory. This is needed because next we are going to install the modules that the project needs to run.

Before we install the modules we will need to install pip3. If you already have it installed on your system than you can skip this part.

sudo apt-get -y install python3-pip

The command above can be used to install pip3. This is needed to install the requirement.txt file.

After pip3 is installed run the following command.

pip3 install -r requirement.txt

The command above will install all the needed modules that make Subdomain3 work.

python3 brutedns.py -d jetblue.com

The command above will look for all of jetblue’s subdomains and save the results into a CSV file in the result directory.

Subdomain3 also allows the you to submit domains by text file. The command below can be used to scan a bunch of domains. Each line inside the t.txt file should have a different domain.

python3 brutedns.py -f t.txt

Domains can have multiple subdomains. When we look at the following domain, .uk is the first-level domain.

monkey.co.uk

.co is the second level domain, and monkey is the third level domain. All domains must have two levels. For example, with the domain banksy.com the first level domain is .com and the second level domain is Banksy.

Subdomain3 is able to look for different levels domains. To change the level that Subdomain3 will look for use the following command.

python3 brutedns.py -d foxcorporation.com -l 3

The command above will tell Subdomain3 to look for 3 leveled domains.

cnames records must be pointed to a domain. For example, suppose blog.example.com has a CNAME record with a value of ‘example.com’ (without the ‘blog’). This means when a DNS server hits the DNS records for blog.example.com, it actually triggers another DNS lookup to example.com, returning example.com’s IP address via its A record. In this case we would say that example.com is the canonical name (or true name) of blog.example.com.

The command below will save all the cnames to a file named cname.txt this file is located in the results directory.

python3 brutedns.py -d foxcorporation.com -c y

Creating a script that runs Subdomain3 and NMAPs the found subdomains.

function save_file {
        if [[  $1 !=  "DOMAIN" ]]
        then
                echo "$1" >> "domains.txt"
        fi
}
function run_subdomain3 {
        python3 brutedns.py -d  "$1"
}
function run_nmap {
        nmap -iL domains.txt
}
if [[  $2 != "-c"  ]]; then
        if test -f "domains.txt"; then
                rm domains.txt
        fi
fi
run_subdomain3 $1
INPUT=$1
FILE="result/${INPUT}/${INPUT}.csv "
while IFS=, read -r field1 field2
do
    save_file "$field1"
done < $FILE
run_nmap

The bash script above will parse the CSV file and save all the found subdomains into a text file named domains.txt.

First save the bash script in the directory where brutedns.py is. To run the bash script enter the following command into your terminal. Before running the bash script make sure that you run Subdomain3 on the domain.

bash scrape.sh jetblue.com

Replace the word jetblue.com with the domain that you have scanned earlier. After running the bash script a file named domains.txt should contain all the subdomains that where found with Subdomain3. Lastly the bash script will run a basic nmap scan on the subdomains found and print out the results.

If the argument -c is not supplied the script will delete the domains.txt file and create a new domains.txt file after finishing the Subdomain3 scan. If the -c argument is given the code will not delete the domains.txt file but append the newly found subdomains to the contents of the domains.txt file.

A example of the command is shown below.

bash t.sh google.com -c

The first step when attempting to bug bounty or even hack is to find out as much information about the target as you can. Subdomain3 is a great tool that allows the hacker to gather possible targets.