✅
Penetration Testing
  • Introduction
  • Methodology
  • Port Scanning
    • Ports and Associated Service
    • Nmap Port States
    • Nmap Scanning
  • Service Enumeration
    • SMB
    • HTTP 80,443
      • Sub-Domain Enumeration
      • Authentication Bypassing
      • Directory Busting
  • Reverse Shells
    • Reverse shell Cheatsheets
    • Msfvenom to get Reverse Shell
    • Spawning Shells - TTY Shells
    • Listener Setup
    • Python pty shells
    • Stabilizing shell
  • Linux Privilege Escalation
    • Enumeration
    • Automated Enumeration Tools
    • Kernel Exploits
    • Weak File Permissions
    • Sudo
    • Cron Job
    • SUID /SGID
    • Passwords and Keys
    • NFS
  • PENETRATION TESTING REPORT RESOURCES
    • Resources
  • OSCP Like Machines Walkthrough
    • HACKTHEBOX
      • Linux
      • Windows
      • Harder than OSCP
Powered by GitBook
On this page
  • OSINT SSL/TLS
  • OSINT Search Engine
  • DNS Brute Forcing
  • Sublist3r
  • Virtual Host
  1. Service Enumeration
  2. HTTP 80,443

Sub-Domain Enumeration

In order to increase the attack surface, we perform subdomain enumeration.

PreviousHTTP 80,443NextAuthentication Bypassing

Last updated 2 years ago

Three Methods for Sub-Domain Enumeration

1 Brute Force

2 OSINT

3 Virtual Host

OSINT SSL/TLS

Use sites like:

1

2

OSINT Search Engine

Use: site:*.examplesite.com

DNS Brute Forcing 

dnsrecon -t brt -d examplesite.com

Sublist3r

If you are preparing for OSCP or solving machines on HacktheBox or training for CTFs then this is the command you need to go for.

Install by using this command

sudo apt install sublist3r
./sublist3r.py -d http://[target ip address]

Virtual Host

Some subdomains such as development versions and administration portals are not always hosted in publically accessible DNS results. However, we can still find them, by abusing the HOST header

First, run this first command to identify the size number that shows up the most then use the second command with the identified size 

ffuf -w /usr/share/wordlists/SecLists/Discovery/DNS/namelist.txt -H "Host: FUZZ.examplewebsite.com" -u http://[target Machine ip address]

Replace the {size } with the size identified

ffuf -w /usr/share/wordlists/SecLists/Discovery/DNS/namelist.txt -H "Host: FUZZ.examplewebsite.com" -u http://[target Machine ip address] -f {size}
https://crt.sh
https://ui.ctsearch.entrust.com/ui/ctsearchui