Subdomains listing techniques

Yasser Gersy

Hi

In this post , i am going to publish most techniques used to enumerate subdomains.

This is useful when targeting a web asset , the most important step is recon , You should collect as much as information.

Supposing we are targeting hackerone.com

1-Resolving

The 2nd fastest method is resolving domain names , using any tool that resolves host names to ips like nslookup , host ping , etc you can get a list of subdomains

Try to resolve hosts like :

app.hackerone.com

www.hackerone.com

stage.hackerone.com

You will get a lot of false positives if the target enabled wildcard.

you can do that with :

#!/bin/bash
#./resolv.sh hackerone.com
while read p; do
r="$(host $p.$1)"
if [[ $r == *"has address"* ]]; then
echo $p.$1
fi
done <list.txt

Or you can use cazador subResolver

2- Brute Force HTTP

The same as the previous one , but slower because resolving a host is taking less time than making HTTP request.

Also you will get a lot of false positives if the wildcard is enabled.

You can do this with bash :

#!/bin/bash
#./bfc.sh hackerone.com
while read p; do
r="$(curl -s -o /dev/null -w "%{http_code}" $p.$1)"
if [[ $r != *"000"* ]]; then
echo $p.$1
fi
done <list.txt

Or you can use cazador subBfcer

3-Mining

This Method ensures you will get less and valid result.

Simply loading the main parent domain or known subdomains pages and fetching subdomains from these responses .

Do not exclude headers , you will miss many subdomains , specially the csp header.

This can be achieved with :

import requests,re,sysreg='([a-z][a-z0-9\-\.]*[a-z])+'
domain=sys.argv[1]
domain_reg=reg+'.'+domain
resp=requests.get('http://'+domain)
bod=resp.text.encode('utf-8').lower()
regex_num = re.compile(domain_reg)
print(regex_num.findall(bod))

Or you can use cazador subMiner or UrlLoader

4-Scrabbing

The fastest method , in a nutshell : using an online service to obtain results , without any enumeration you can use many third-parties including search engines to collect their own saved data.

Examples of websites which can help to get a list of subd

Robtex
Ask
Threatcrowd
alienvault
DNSDumpster
Yahoo
Google
Bing
cert
self
Censys
BuiltWith
PentestTool
Baidu

cazador Subscrabber has a list of most known services to probe a list of subdomains

5- Host Header manipulation

Yes , you can probe a list of subdomains , by issuing HTTP requests to the parent or known subdomain with differnet host headers , this depends on how the server responds to different host values .

You can try with burp repeater first:

  • Request a known sudomain
  • Request a non-existed subdomains

Compare both responses and know how the server responds to valid host names and filter the valid ones , this can be acheived using burp intruder

6-SSL Certificates

To Be discussed.

7-Dns Records

To Be discussed.

Many lists are available to enumerate suddomains :

Yasser Gersy

Written by

https://twitter.com/yassergersy https://hackerone.com/exception EGY

Welcome to a place where words matter. On Medium, smart voices and original ideas take center stage - with no ads in sight. Watch
Follow all the topics you care about, and we’ll deliver the best stories for you to your homepage and inbox. Explore
Get unlimited access to the best stories on Medium — and support writers while you’re at it. Just $5/month. Upgrade