Open in app

Sign in

Write

Sign in

Subdomain Enumeration

0liverFlow
7 min readMar 1, 2023

--

Subdomain Enumeration

Subdomain enumeration is a technique that consists of finding out the subdomains related to a domain name.

In the context of a security assessment, this can help a security professional to expand its surface attack i.e. to have more potential points of entry to the target system.

This is because subdomains often have their own separate servers, applications, and security configurations, which can be exploited by attackers to gain unauthorized access to sensitive data or systems.

We can enumerate (find) subdomains using various techniques.

In this article, we are going to cover the following techniques:

  • OSINT (Open Source INTellligence)
  • Brute Force
  • Virtual Host

Note: In addition to explain the different techniques that we can use to find subdomains, we are going to see some practical examples that are based on TryHackMe subdomain enumeration room.

No worries if you do not use TryHackMe, the examples used in this article are very intuitive and you can try your own examples after that you grasp the concepts.

OSINT (Certificate Transparency monitoring)

SSL/TLS certificates can sometimes be used to identify subdomains associated with a domain name. This is because some SSL/TLS certificates are issued for a specific subdomain or set of subdomains, rather than for the primary domain name.

To find the subdomains associated with a domain name, we will use what is called Certificate Transparency (CT) monitoring.

In fact, every time that a Certificate Authority (CA) creates an SSL/TLS certificate for a domain, it gets logged in a publicly accessible Certificate Transparency (CT) logs.

The purpose of Certificate Transparency logs is to stop malicious and accidentally made certificates from being used.

Thus, by reviewing these logs, it’s possible to identify SSL/TLS certificates that have been issued for a particular domain name, including any subdomains that may be associated with the domain.

To find these logs, we can use one of the following websites: crt.sh or Entrust Certificate Search.

Challenge

1°) Go to crt.sh and search for the domain name tryhackme.com, find the entry that was logged at 2020–12–26 and enter the domain below to answer the question.

What domain was logged on crt.sh at 2020–12–26?

Subdomain enumeration — TryHackMe

Answer: store.tryhackme.com

OSINT (Search Engine Hacking)

Search Engine Hacking is a technique that consists of using a search engine advanced operators in order to refine our results. This can sometimes lead to juicy information that have been accidentally indexed by web crawlers.

In our case, we are going to use these advanced operators to enumerate subdomains from a given domain name.

Challenge

1°) Go to Google and use the search term -site:www.tryhackme.com site:*.tryhackme.com, which should reveal a subdomain for tryhackme.com; use that subdomain to answer the question below.

Search Engine Hacking — TryHackMe Subdomain enumeration

Answer: blog.tryhackme.com

DNS BruteForce

Bruteforce DNS (Domain Name System) enumeration is a technique that consists of trying multiple different subdomains from a pre-defined list of commonly used subdomains.

To perform such an enumeration, we need to use an automation tool.

In our case, we are going to use a tool called dnsrecon which is dns enumeration and scanning tool.

There is other tools that you can also use such as theHarvester for instance.

The figure below shows the help menu of dnsrecon:

dnsrecon usage

Note: If you do not have dnsrecon installed on your system, you can install it using the command: : sudo apt install dnsrecon

Challenge

Note: This challenge may not work if you are not using TryHackMe’s attack box machine because the acmeitsupport.thm domain has access restrictions. To overcome this issue, you can try the challenge using a domain for which you have granted permission.

1°) Let’s use dnsrecon in order to brute force the following domain: acmeitsupport.thm

For that, we will enter the following command:

dnsrecon -t brt -D /usr/share/dnsrecon/namelist.txt -d acmeitsupport.thm
dnsrecon challenge — TryHackMe

Answer: api.acmeitsupport.thm

-t : used to specify the type of enumeration you want to perform. This can be

  • std: A, AAAA, SOA, NS, MX, SRV
  • rvl: Reverse lookup of a given CIDR or ip range
  • brt: Brute force domains and hosts using a given dictionary)
  • axfr: Test all NS servers for a zone transfer
  • tld: remove the tld of a given domain and test all TLDs registered in IANA.
  • crt: perform crt.sh search for subdomains and hosts.

-d: used to specify the target domain

-D : used to specify dictionary file of subdomain and hostnames to use for brute force.

OSINT (Sublist3r)

Sublist3r is a popular open-source tool used for subdomain enumeration.

It works by querying various search engines and DNS databases to identify subdomains associated with a particular domain name. The tool supports a wide range of search engines and DNS providers, including Google, Bing, Yahoo, and VirusTotal, among others.

Note: If sublist3r is not installed in your system, you can install it using its official github repository.

The figure below is the help menu of sublist3r:

Sublist3r help menu

Challenge

1°) We will try to find the subdomains related to our previous domain name (acmeitsupport.thm) by using this time sublist3r.

For those of you who do not use TryHackMe, you can replace acmeitsupport.com with example.com in order to understand how the sublist3r works.

To do that, we will simply execute the following command:

./sublist3r.py -d acmeitsupport.thm
Sublist3r challenge -TryHackMe

Answer: web55.acmeitsupport.thm

Virtual Hosts

In the context of web hosting, a virtual host is a method of hosting multiple websites or domains on a single web server by using a single IP address.

When a website is requested from a client, the server knows which website the client wants from the Host header. Therefore, we can utilise this host header by making changes to it and monitoring the response to see if we’ve discovered a new subdomain.

Like with DNS Bruteforce, we can automate this process by using a wordlist of commonly used subdomains that we then pass to an automation tool.

In our case, we will use a tool called FFUF.

FFUF (Fuzz Faster U Fool) is an open-source web application fuzzing tool that is designed to be fast and easy to use. It is a tool written in Go and it allows us to perform typical directory discovery, virtual host discovery (without DNS records) and GET and POST parameter fuzzing.

Fuzzing is a technique used in software testing to identify vulnerabilities or unexpected behavior in an application by sending malformed or unexpected input to the application and observing how it responds. In the context of web application security, fuzzing is typically used to test for vulnerabilities in input validation, such as SQL injection or cross-site scripting (XSS).

ffuf help menu

Challenge

1°) What is the first subdomain discovered?

To do that, we will use the following command:

ffuf -w /usr/share/wordlists/SecLists/Discovery/DNS/namelist.txt -H "Host: FUZZ.acmeitsupport.thm" -u http://10.10.69.69
ffuf output

Let’s break down the command above:

-w : used to specify the wordlist file path

-H : used to specify the header “Name: value” separated by a comma. It is possible to specify multiple headers using multiple -H options or flags.

The FUZZ keyword in the Host header’s value is where a subdomain would normally go, and this is where we will try all the options from the specified wordlist.

-u : used to specify the target URL.

Nevertheless, there is an issue when using the previous command.

In fact, the command will always produce a valid result. Thus we need to filter the output.

We can do this by using the page size result with the -fs flag or option.

Specifically, we will use the page size value that occurred the most in our previous virtual host discovery.

As you can see, the page size value that occurred the most is: 2395.

Using that, we can edit our previous command as follows:

ffuf -w /usr/share/wordlists/SecLists/Discovery/DNS/namelist.txt -H "Host: FUZZ.acmeitsupport.thm" -u http://10.10.69.69 -fs 2395

-fs : used to filter HTTP response size

After executing the command above, we normally obtain the following output:

ffuf http response size filter — TryhackMe

Answer: delta

2°) What is the second subdomain discovered?

Answer: yellow

Let’s recap!

In this article, we have covered various techniques that can be used in order to discover the different subdomains related to a domain name.

Among the techniques that we mentioned, we can list:

  • OSINT: Certificate Transparency logs, Search Engine Hacking, Sublist3r
  • DNS BruteForce: dnsrecon
  • Virtual Host: FFUF

Well done guys 👏.

Hope you learnt something.

If you enjoyed it, please let me know by clicking on the little clap icon below.

Furthermore, thanks for subscribing to my newsletter to keep up with my latest articles.

Related article:

https://medium.com/@olivierkonate/google-hacking-4e261abced5

Subdomain
DNS
Osint
Tryhackme
Cybersecurity

--

--

0liverFlow

Written by 0liverFlow

125 Followers

Pentester | Enjoy breaking and building stuffs

Help

Status

About

Careers

Press

Blog

Privacy

Terms

Text to speech

Teams