Tag Archives: Brute Force

Subdomain Enumeration

Subdomain enumeration is an information gathering technique. It can be used to define the all sites opened to the internet in a company. In large organizations, it is very common to have some forgotten websites that having vulnerabilities or some sensitive data. So, subdomain enumeration also important for bug bounty.

The first technique is searching for passive dns information. There are a lot of ways to search for dns information however it should also be noted that the DNS information of closed servers may remain in the cache.

DNSdumpster.com: can give archive information about the domain also with some additional information like geolocation, nmap port scan, visualization of the domain mapping, and HTTP responses to check whether the site is alive or not.

crt.sh: is another interesting tool for searching for SSL certificates used by a domain and its subdomains.

Virustotal: When you search a domain in virustotal, it gives you all subdomains and additional information about the domain.

Other technique is automated.

amass: has a lot of options showing subdomains and things associated with it.

Sublist3r: Sublister lists subdomains of a domain, meanwhile it has a bruteforce module. Domain wordlists can be used with this module called subbrute.

#sublist3r -v -d facebook.com

Creating Wordlist for Brute Force Attack

Brute force is an old attack technique but it can be still gold. For brute force attack, we need a wordlist/password list that will be tried by the tool we use, including possible passwords. Then, the tool will try thousands of these passwords per second. This is also referred to dictionary attack. The stronger your list is, the more successful you will be on cracking passwords.

For different targets, we may need different wordlists. Sometimes we would have some indicators about the target’s password since the knowledge about the target, like children’s name, pet’s name, birthday, etc. We may also know the password policy of the application, maybe having a policy with minimum 12 characters. In such cases, we may need different wordlists, that we can use for different targets. And a correct wordlist we have, saves our time. Especially, considering how long brute force attack takes, it can save our hours or days.

“Crunch” is a tool that enables us to create custom wordlists in the way we want. Both Kali and Parrot include crunch. It is very easy to create wordlists with crunch. Let’s take a look;

I will use Parrot for crunch, and it is in Pentesting > Password Attacks > Password Profiling & Wordlists menu in Parrot.

Usage:

Crunch does not provide much information about its usage at the beginning. The screenshot below shows the opening screen of crunch;

The basic syntax is;
# crunch <min> <max> <char set> -o <output file>
min = Minimum password length
max = Maximum password length
char set = The character set to be used generating passwords
-o = Wordlist file being created by crunch


By default, when we want to generate a wordlist for 8 characters, crunch estimates how large the file be;

By default, this command will generate password with small letters only. If we want a wordlist with 8 characters mixed with small letters and numbers, we can type like below;

We can define the character set as we want. Sure, the creation of the file takes much time, and it becomes a very big file. So, it would be better to guess some indicators about the password and create a wordlist for that.

It is also possible to use charsets defined in /usr/share/rainbowcrack/charset.txt file. We can get the same file with the command below;

The charsets in charset.txt is;