Subdomain Enumeration

Subdomain enumeration is an information gathering technique. It can be used to define the all sites opened to the internet in a company. In large organizations, it is very common to have some forgotten websites that having vulnerabilities or some sensitive data. So, subdomain enumeration also important for bug bounty.

The first technique is searching for passive dns information. There are a lot of ways to search for dns information however it should also be noted that the DNS information of closed servers may remain in the cache.

DNSdumpster.com: can give archive information about the domain also with some additional information like geolocation, nmap port scan, visualization of the domain mapping, and HTTP responses to check whether the site is alive or not.

crt.sh: is another interesting tool for searching for SSL certificates used by a domain and its subdomains.

Virustotal: When you search a domain in virustotal, it gives you all subdomains and additional information about the domain.

Other technique is automated.

amass: has a lot of options showing subdomains and things associated with it.

Sublist3r: Sublister lists subdomains of a domain, meanwhile it has a bruteforce module. Domain wordlists can be used with this module called subbrute.

#sublist3r -v -d facebook.com

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s