Sub-Domain Enumeration

In order to increase the attack surface, we perform subdomain enumeration.

Three Methods for Sub-Domain Enumeration

1 Brute Force

2 OSINT

3 Virtual Host

OSINT SSL/TLS

Use sites like:

1 https://crt.sh

2 https://ui.ctsearch.entrust.com/ui/ctsearchui

OSINT Search Engine

Use: site:*.examplesite.com

DNS Brute Forcing

dnsrecon -t brt -d examplesite.com

Sublist3r

If you are preparing for OSCP or solving machines on HacktheBox or training for CTFs then this is the command you need to go for.

Install by using this command

sudo apt install sublist3r

./sublist3r.py -d http://[target ip address]

Virtual Host

Some subdomains such as development versions and administration portals are not always hosted in publically accessible DNS results. However, we can still find them, by abusing the HOST header

First, run this first command to identify the size number that shows up the most then use the second command with the identified size

ffuf -w /usr/share/wordlists/SecLists/Discovery/DNS/namelist.txt -H "Host: FUZZ.examplewebsite.com" -u http://[target Machine ip address]

Replace the {size } with the size identified

ffuf -w /usr/share/wordlists/SecLists/Discovery/DNS/namelist.txt -H "Host: FUZZ.examplewebsite.com" -u http://[target Machine ip address] -f {size}

PreviousHTTP 80,443 NextAuthentication Bypassing

Last updated 1 year ago