Subdomain Enumeration
Subdomain enumeration is the process of identifying all subdomains for a given domain. This can be useful for a variety of purposes, such as identifying potential targets for an attack, or simply for organizational purposes.
We do two types of subdomain enumeration:
1. Passive Subdomain Enumeration
2. Active Subdomain Enumeration
Passive Subdomain Enumeration:
Passive subdomain enumeration is the method of gathering subdomains of a given domain without directly interacting with the domain. The subdomains are gathered from publicly available sources like google, virustotal, dnsdumpster, shodan etc. As these are publicly available soruces, many of the gathered subdomains can be inactive. So it’s better to check them later with active enumeration tools.
Passive subdomain enumeration tools:
1. Sublist3r
Sublist3r is a python tool designed to enumerate subdomains of websites using OSINT. Sublist3r enumerates subdomains using many search engines such as Google, Yahoo, Bing, Baidu and Ask. Sublist3r also enumerates subdomains using Netcraft, Virustotal, ThreatCrowd, DNSdumpster and ReverseDNS.
Command:
→ To enumerate subdomains of specific domain:
sublist3r -d example.com→ To enumerate subdomains and use specific engines such Google, Yahoo and Virustotal engines
sublist3r -e google,yahoo,virustotal -d example.com2. assetfinder
Go based tool by tomnomnom to find domains and subdomains potentially related to a given domain. GitHub Repo: https://github.com/tomnomnom/assetfinder
Command:
assetfinder — subs-only example.com3. subfinder
subfinder is a subdomain discovery tool that returns valid
subdomains for websites, using passive online sources. It has a
simple, modular architecture and is optimized for speed. GitHub
Repo: https://github.com/projectdiscovery/subfinder
Command:
subfinder -d example.comActive Subdomain Enumeration:
Active Subdomain Enumeration is a technique used to discover subdomains by actively querying DNS servers or generating permutations of subdomains from wordlists. It helps to identify active subdomains that may be potential targets for further analysis or exploitation.
Active Subdomain enumeration tools:
1. Goaltdns
goaltdn actually generates a permutation of subdomains from a wordlist and a hostname. Which we can be later used with Subdomain Enumeration3puredns to extract out the active subdomains. GitHub Repo: https://github.com/subfinder/goaltdns
Command:
goaltdns -h hostname.com -w wordlist.txt -o output.txt2. Puredns
puredns is a fast domain resolver and subdomain bruteforcing tool that can accurately filter out wildcard subdomains and DNS poisoned entries. We can use the the permutation list found from Goaltdns or subdomain list found by passive discovery and use it with puredns to find out the active subdomains. GitHub Repo: https://github.com/d3mondev/puredns
#massdns should be installed prior to this.
Command:
puredns bruteforce perm-list-from-goaltdns.txt domain-name -r
resolvers.txtWe can use the resolvers file from this github link of trikest:
(https://raw.githubusercontent.com/trickest/resolvers/main/resolvers.txt)
3. Gobuster
Gobuster is a tool for directory and DNS brute-forcing. It
discovers hidden files, directories, and subdomains by trying
different combinations. It’s a powerful reconnaissance tool for
identifying potential attack vectors.
Command:
gobuster dns -t 30 -w subdomains.txt -d domain-nameI will update this article as I continue to learn more on this topic. So please look out for future updates.
