search

🀨Subdomain Enumeration

subdomain enumeration methods: Brute Force, OSINT (Open-Source Intelligence) and Virtual Host.

hashtag
1] OSINT - SSL/TLS Certificates πŸ‘

  • SSL/TLS (Secure Sockets Layer/Transport Layer Security) certificate is created for a domain by a CA (Certificate Authority)

  • CA's take part in what's called "Certificate Transparency (CT) logs"

  • (These are publicly accessible logs of every SSL/TLS certificate created for a domain name. The purpose of Certificate Transparency logs is to stop malicious and accidentally made certificates from being used. We can use this service to our advantage to discover subdomains belonging to a domain, sites like https://crt.sharrow-up-right and https://ui.ctsearch.entrust.com/ui/ctsearchuiarrow-up-right offer a searchable database of certificates that shows current and historical results.)

hashtag
2] OSINT - Search Engines :

 GOOGLE SEARCH FOR "-site:www.domain.com site:*.domain.com"

hashtag
3] DNS Bruteforce :

hashtag
4] OSINT - Sublist3r :

hashtag
5] Virtual Hosts :

The above command uses the -w switch to specify the wordlist we are going to use. The -H switch adds/edits a header (in this instance, the Host header), we have the FUZZ keyword in the space where a subdomain would normally go, and this is where we will try all the options from the wordlist.

Because the above command will always produce a valid result, we need to filter the output. We can do this by using the page size result with the -fs switch. Edit the below command replacing {size} with the most occurring size value from the previous result and try it on the AttackBox.

PreviousContent DiscoveryNextAuthentication Bypass

Last updated