Subdomains Enumeration🔥🔥:-Vertical RECON.
Hey guys🤍..I Hope All Is Good and Going Well..✨✨!!
Now we are in this blog for Performing “Vertical Recon to Enumerating Subdomains Of our Target’s 🔥”.!!!
In previous Blogs ,We Performed HORIZONTAL RECON For Expanding Our Target’s Assets. If You Don’t looked the Previous HORIZONTAL RECON Blog before, I recommend To Read it. Here’s the link for it..,
Okay..,Let’s we start the VERTICAL RECON : SUBDOMAINS ENUMERATION..
What Is Subdomains ?
Subdomains are Part of Domains. If The Domains has prefix Name , They are called Subdomains. The Subdomains Are Also domains , but they are Depended And Defined as the part of the Root Domain.
The Domain → https://medium.com → Medium Is The Root domain.
The Subdomain → https://hacktivistttacker.medium.com → Hacktivistattacker is Sub Domain Of the Medium.
The good things are about the Subdomains, Most of The Domain Providers allows you to create Unlimited Subdomains if you hold One Root Domain . Also They did allow to create Subdomains if they were didn’t own the Root Domain.
For Example google can create subdomains like login.google.com , user.google.com and much more., Because they were hold The Root domain “google.com”. At The Same , None of Others could not create Subdomains for google.com.,Because others didn’t Hold the Root domain google.com. (Because The Root Domain “google.com” was already Taken by the GOOGLE LLC.)
Purposes Of Subdomains:
Good.!! The Purpose of subdomain is Many More.In simply Some of these are Structure, Functions, Content Separate and Analytics.
Most big companies has big structure and lots of functions.It’s hard to mange all them in one domain.So, the companies are create subdomains for specif functions.Example., login.google.com was used for the google.com Login function.Also like., help.google.com, contact.google.com..etc..
Also the Business related companies (ex: Youtube’s Youtube studio) are uses subdomains for specially analyzing the users and managing Companies Products.
What Is Sub Domain Gathering/Enumeration:
Sub Domain Gathering/Enumeration Means Gathering or Collecting all As Much Possible Subdomains of our Target.
In Web Penetration Testing , We did not only test our Target’s Root Domain. We also Need to test the target’s Subdomains. For example , Companies has policy like *.google.com means , they would allow us to test all the subdomains of google.com . They also defined some subdomains like login.google.com , user.google.com . But, they did not Openly list All theirs Subdomains like manger.google.com , admin.google.com for their Privacy. They Simply set their Scope as *.google.com , which means We can test all the subdomains of Google.!!!
For this Reason , We would need to Enumerate all the Subdomains of our Target’s Domain And Conduct Penetration Testing on Them⚡⚡.
Subdomains Enumerating Techniques:
In This section we will Cover , How to gather the Subdomains of our Target.
At the This Time, I have Totally 9 ways for Subdomain Gathering. If you know other ways exclude In the List , then Please comment Out the Technique , To help the Blog Become Greater and Also Me.!!
The Subdomain Gathering Techniques/Ways Are…,
— — — — — — — — — — — — — — — — — — — — — — —
- Certificate Transparency Logs:
- Forward DNS:
- Github Dork:
- Google Dork:
- JS Subdomains Hunting:
- Subdomains Scrapping:
- DNS Brute Forcing:
- Sub-Of-Subdomains Enumeration:
- Subdomains Permutation/Alterations:
— — — — — — — — — — — — — — — — — — — — — — —
1.Certificate Transparency Logs:
Some Prerequisite You may know…(Skip If you know About them..)
SSL/TLS:(Secure Sockets Layer/Transport Layer Security):
SSL (Secure Sockets Layer) and TLS (Transport Layer Security) Combinations are Protocols used for Secure connection Over HTTP Protocol. This Protocol uses certificates for Encrypting the data between client and server . Every HTTPS(Hyper Text Transfer Protocol with Security) Domains uses SSL/TLS Certificate for Keep safe the communication Information From the Attackers.
CA(Certificate Authorities) and CT(Certificate Transparency):
These SSL Certificates Are Issued By CA(Certificate Authorities). CA’s are who Takes the Responsibility to Issue the Unique SSL/TLS Certificates to Unique Domains. Domains can Set all the Subdomains In the Certificate to make that Certificate is valid For Also Subdomains.
Certificate Transparency(CT) is the Mechanism Provided by CA’s . CT is an public logs database that contains Information about every issued Certificates, Such as Domain Name and Encryption Algorithm.
By Querying the Target Domain In the CT Logs Mechanism, We could Enumerate The subdomains. Which is Like The Reverse Information Gathering Technique. By Performing Reverse Information Gathering on our Target’ Certificate’s Information (Domain Name or SHA fingerprint), We could Enumerate the Target’s Subdomains from the CT Logs.
TOOLS:
https://crt.sh →Domains for query the CT Logs.
CRT.SH Is a Domain which can make query to CT Logs And Gives Result To Us. It has an Web Interface and Subdomains are mixed with other Results(logged date,Issuer Name,etc..,)
crtsh.py → Python tool for query to the https://crt.sh and output Only subdomains on Command Line Interface..!!!
Install Setup And Usage
#Clonig the tool In your computer(Download) and Navigating to the cloned Directory
git clone https://github.com/YashGoti/crtsh.py.git && cd crtsh.py
#Installing needed requirements(In python3)
pip install -r requirements.txt
#Copy the tool to /usr/bin for make it Executable On Anyware
mv crtsh.py crtsh && sudo cp crtsh /usr/bin/ && sudo chmod +x /usr/bin/crtsh
#usage
crtsh -d example.com -r | tee crtsh_out.txt
https://search.censys.io/ → Domain for query the Internt connected Services.
Cencys is another and advanced tool , available for the Search Engine of The Internet Connected Things. This tool is also Web based.
censys-subdomain-finder → Tool for enumerate subdomains by using cencys.io.(only output the subdomains).
Install Setup And Usage
1.Tools requires the CENCYS API key And SECRET , Register In https://search.censys.io/register.
2. After Registered ,Navigate to https://search.censys.io/account . You can get the CENCYS API key And SECRET.
3.Set The Credentials at Your Global Environment Variable.
export CENSYS_API_ID=CENCYS API KEY
export CENSYS_API_SECRET=CENCYS API SECRET
OR
Rename the file ".env.template" to ".env" And Set The Credentails inside the cloned repistory.Install , Setup And Usage:
#Clonig the tool In your computer(Downloading) and #Navigating to the cloned Directory
git clone https://github.com/christophetd/censys-subdomain-finder.git && cd censys-subdomain-finder
#Installing needed requirements(In python3)
pip install -r requirements.txt
#usage
python censys-subdomain-finder.py example.com -o cencys_out.txt2.Forward And Reverse DNS :
Like The CT Log Mechanism, Rapid7 collects various types of internet Information (Include DNS) and save all them in their Database. It is Available for Public and its Contains All time records of a Domain’s Information. We can download the Dataset and flitter our Target subdomains.
The datasets are Available In..,
NOTE:You need to create account for Download the Dataset . After that,In grepping It Requires more time to process for flittering the target Subdomains. It also need To High storage Space.
Tools:
1.Grep Subdomains from the File:
#Greping your target's subdomains from the Rapid7 dataset
zgrep ‘\.domain\.com”,’ dataset_name.json.gz
#your target #Downloaded DatasetAlternatively you can use the online tool that will return the dataset of our queried Domain, IP or CIDR..
2.Rapid7 Subdomain Search(Online):
#Tool URL
https://rapiddns.io/subdomain
#Enter your target Domain Name, IP or CIDR...3.Google Dork:
Google Is Search Engine Which can contains uncountable datum In the internet. Google Dork is a technique used for Gather the data we want and ignore others unneeded data.
For Learn more About Google Dorking , you can Refer the blog..,
Google Dorking is Used for Find and Flitter The data as we Want. But, In this Section We will Know how to do the Google Dork for Gathering Subdomains of our Target.
Google-Dork For subdomains Enumeration:
site:*.exapmle.com → Will returns The all the Subdomains And Root Domains of “example.com” .
site:*.exapmle.com -www → Will returns all the Subdomains of “example.com”, “-www” prevents to load the Root domain again and again.
The Google Dork the could return the subdomains founded in the Google Search Engine and results it on WEB GUI. We need to manually grep out the Subdomains Of our target.. Don’t Worry this problem Will Sove When The tools Are Come to Play..
Tools:
sd-goo →Tool for Make google dork And returns the Subdomains In the Command Line.
Install , Setup And Usage:
#Clonig the tool In your computer(Downloading) and #Navigating to the cloned Directory
git clone https://github.com/darklotuskdb/sd-goo.git && cd sd-goo
#Copy the tool to /usr/bin for make it Executable On Anyware
#Giving The User Executable Permission To the Script
mv sd-goo.sh sd-goo && sudo cp sd-goo /usr/bin/ && sudo chmod +x /usr/bin/sd-goo
#usage
#Performing google dork , Removing Duplicates and save the output to the file.
sd-goo google.com | sort -u | tee sd_goo_output.txtNOTE:Performing Many more Google Dork can lead to block your IP address by Google. So ,While performing Google Dorking You need to Verify Captcha to Prove You are human.
When using the Tool, You Need to use the VPN’s When you Get Blocked🚧. After , You connected with VPN then, You can continue your dorks with no Problem...
4.Github Dork:
Github Is an platform used for save the developers to store their source code. Company Developer’s can use the Github to save their source code for their Applications, when they feel it’s not safe to make available the code on Application itself or other reason to save the code on Github.
No matter., What developer do , we will Not leave any Place For Testing.! The Source codes are in the Github can contain the Information about Subdomains or URL Of the Subdomain. Like The Google dork We will Perform the Github dork on the Repository(Package Of source Codes) and Grep the subdomains of our Target. We can perform the Technique In Automatically by Using available Plenty of Tools!!!
Tools:
github-subdomains → An tool performs searches on GitHub and parses the results to find subdomains of a given domain.
Install And Usage:
Tool Requires Github API Token. Here Is the Full guide for how To get or create Github API Token On Github..
#Insall
go install github.com/gwen001/github-subdomains@latest
#usage
github-subdomains -d example.com -t <your-github-token>
#if you Don't want to use API key In every Comment,Then,
#You can set your API Key As the Environment Variable..
export GITHUB_TOKEN=<your-github-token>5. JS Subdomains Hunting:
JavaScript:
JavaScript Is an Programming language Designed for Web Applications. Overall 99% of websites use JavaScript on the client side for webpage behavior. The Combination of JS(JavaScript), HTML(HyperText Markup Language) And CSS(Cascading Style Sheets) Are Make The Website Unbelievable..
The JS main Concept Is Hadnling the Functions On the Client Side. Imagine, Example.com has created block code(login.js file) for user’s Login Form and Submit it on the login.exmaple.com. Then what , that the “login.js” contains the subdomain login.example.com. Awesome.!!, Like the Login form , The Root Domain can has Lot of JS files for execute the lot of Functions. Howewver., Not all the JS files are contain the Subdomains in the Code. But if it contains , Then we could Enumerate the Target’s Subdomains from theese JS files..!!!
Analyzing the JS files Code’s are hard , if we don’t know the JavaScript Progrmming Language. So , We can use the Tools to extract the subdomains from the JS Files.
SubDomainizer → Find Subdomains in content of the page and javascripts files. SubDomainizer will also find secrets present in content of the page and javascripts files
Install , Setup And Usage:
#Install And Setup:
git clone https://github.com/nsonaniya2010/SubDomainizer.git && cd SubDomainizer
pip3 install -r requirements.txt
#Usage
python3 SubDomainizer.py -u http://www.example.com -o sudom_out.txt6.Subdomains Scrapping:
Subdomain Scrapping Is the Mixing of the All techniques and Other Common Ways to Hunt The Subdomains From the Passive resources On the Internet🌐.
Google is the not only one Search Engine On The Internet. DuckDuckgo , Bing and etc., Search Engines are Available on the Internet. The Scrapping Technique Is focused on These Extra Work.Not Only the subdomains , also the Other DNS Dataset , CT logs , Other Source code platforms and much more…
Tools are Available Ultimately for this Technique. We can see the The Tools Below Here..,
1.Amass →Information gathering by open source and active reconnaissance techniques.
Install, Setup And Usage:
#Installing Amass from Go language. Remind The $PATH variable has an value "$HOME/go/bin/"
go install -v github.com/owasp-amass/amass/v4/...@master
#Usage
amass enum -d facebook.com -o amss_out.txt
# List The All Usage Of Tool
amass intel -h2. Subfinder → Subdomain discovery tool that returns valid subdomains for websites, using passive online sources.
Install, Setup And Usage:
Requirements:
For Advanced subdomain enumeration subfinder need API keys from multiple Resource.
Here Is the Beautiful Blog for, How To Get and Set API Keys For Subfinder
https://docs.projectdiscovery.io/tools/subfinder/install#post-install-configuration
#Installing from Go language. Remind The $PATH variable has an value "$HOME/go/bin/"
go install -v github.com/projectdiscovery/subfinder/v2/cmd/subfinder@latest
#Usage
#For One Domain
subfinder -d example.com -all -o subfind_out.txt
#For List Of Domain
subfinder -dL domains.txt -all -o subfind_outs.txt
# List The All Usage Of Tool
subfinder -hddddd3.sublist3r → Python tool designed to enumerate subdomains of websites using Open-Source Intelligence(OSINT).Sublist3r enumerates subdomains using many search engines such as Google, Yahoo, Bing, Baidu and Ask. Sublist3r also enumerates subdomains using Netcraft, Virustotal, ThreatCrowd, DNSdumpster and ReverseDNS.
Install, Setup And Usage:
#Installing
git clone https://github.com/aboul3la/Sublist3r.git && cd Sublist3r
sudo pip install -r requirements.txt
# Usage
python3 sublist3r.py -d example.com -o sublis_out.txt
#List All Usage
python3 sublist3r.py -h4.assetfinder → Find domains and subdomains potentially related to a given domain
Install, Setup And Usage:
#Installing from Go language. Remind The $PATH variable has an value "$HOME/go/bin/"
go install github.com/tomnomnom/assetfinder@latest
#usage
#Save the result to file
assetfinder -subs-only example.com | tee asset_out.txt
5.Subdominator →SubDominator helps you discover subdomains associated with a target domain efficiently.
Install, Setup And Usage:
Requirements:
If You Want Advanced Usage the you Need to Set Up the API Key's For Enumerate More Subdomains..!!!
Refer the subdominator Tool’s official Blog to set up the API KEYS for The Tool:
#Install And Setup:
git clone https://github.com/sanjai-AK47/Subdominator.git && cd Subdominator
pip install .
#python's current httpcore module did not support the attribute 'TimeoutException'
pip install httpcore==0.15.0
#Usage
subdominator -d example.com -o subdom_out.txt
subdominator -d example.com -cf -o subdom_out.txt
#List all usage
subdominator -h7.Subscraper → SubScraper is a subdomain enumeration tool that uses a variety of techniques to find subdomains of a given Target.
Install, Setup And Usage:
#Installing
git clone https://github.com/m8sec/subscraper && cd subscraper
pip3 install -r requirements.txt
#Installing the setup as the user
python setup.py install --user
#usage
subscraper -d example.com -o subscrap_out.txtConclusion:
In the Subdomain Scrapping , Most of results would be Same. We need to sort and Remove Duplicates from them. Once You Enumerating all subdomains , save all the subdomains into one File.
Move all the Output file into one Folder, the run the sort command on these files to Remove duplicates. For Example..,
#This Command Removethe duplicates Of given file And Save them in a New File..
sort -u subfind_out.txt sublis_out.txt subdom_out.txt asset_out.txt subscrap_out.txt >all_subdomains.txt7. DNS Brute Forcing:
As We Already Known About DNS(Domain Name System) is The Phone book For The Internet. We use DNS Brute Force Technique, Which is Based On Requesting and See If the domain is Existed on the Internet. We can Query our target’s DNS to give subdomain DNS records(A,AAAA,MX..). If DNS server Returns the Records , its Means that The subdomain is Available.
We Need Wordlists(list of Words) , Which is used to make subdomains for our target . The Common Wordlists Are..,
SecList contains most of the Words Are used By default, Overall 1 million list of words.By using these words we could enumerate subdomains .But Keep in mind, you need to choose your Best wordlist’s sets for you.(5k,50k,100k,1M,etc…)
If you want to make custom Wordlist by your target domain’s information, No problem. Cewl is tool that crawls our target and Generate wordlists.
Install CeWl and Usage:
sudo apt install cewl
#usage
cewl -d 3 -a -o --with-numbers -w wordlist.txt example.com
#Explain the Usage
-d:Depth
-a:Also Genarate worlist from Meta data
-o:Let the spider visit other sites.
--with-numbers: allow wordlist contains numbers
Once you Selected a Wordlist then you start to Make Subdomains and Request it on DNS server. How to do this ? No Questions , Tools are Always Here…,
You need to Make subdomains from the wordlist for your Target domain, Because the tool would take input as the list of the domains and resolve it.. Below The bash script helps you to make the subdomains for given Target Domain and Wordlist. Also it will output the results On the Command line and “youdomains_all_subdomains.txt”
My Bash Script For Make Subdomains:
!/bin/bash
#Simple Bash Script For Make Subdomains
# Check if domain and wordlist file are provided
if [ $# -ne 2 ]; then
echo "Usage: $0 <domain> <wordlist>"
echo "Example: $0 exmaple.com top-5000-words.txt"
exit 1
fi
domain="$1"
wordlist="$2"
# Check if wordlist file exists
if [ ! -f "$wordlist" ]; then
echo "Wordlist file not found: $wordlist"
exit 1
fi
# Read each word from the wordlist file and concatenate with domain.Output to the enterddomain.com_all_subs.txt
echo ''
echo "Making Subdomains For Domain:$1 with Wordlist:$2 "
echo ''
for word in $(cat $2);do
subdomain="${word}.${domain}"
echo "$subdomain"
done | tee "$1_subdomains.txt"
echo ""
echo "Maked Subdomains Are Saved In The $1_subdomains.txt"Setup And Usage:
#Setup:
#Save the script with ".sh" extension
example: make_subs.sh
#Give it the excecutable Permission
chmod +x make_subs.sh
#Usage
./make_subs.sh domain wordlist
./make_subs.sh exmaple.com top-5000-words.txtAfter Created subdomains for your Target, You can start to Enumerate Which are Alive and other information by Performing the DNS Query/DNS Brute Force.
MassDNS → A high-performance DNS stub resolver for bulk lookups and reconnaissance (subdomain enumeration).
Install, Setup And Usage:
#Cloning The tool AndNavigating to the Clone URL
git clone https://github.com/blechschmidt/massdns.git && cd massdns
#Make the Executable file
make
#Usage:Run the Tool by "./bin/massdns"
./bin/massdns -r lists/resolvers.txt -i 1000 -s 50 -t A -o S example.com_all_subdomains.txt -w example.com_livesubdomains.txt
#Options
-r: Text file that contains DNS resolvers IP Addresses
-i: Interval in milliseconds to wait between multiple resolves of the same
-s: Number of concurrent lookups(Queries)
-t: Record type to be resolved.(Default: A)
-o: Output Format(S:Simple text Output )
-w: Put The output In the FileNOTE: Use the Tool with aware about the Threads. By, Default it will lookup 10000 Queries Per Second. It will be cause Traffic and Make Noise. Some times, Setting over and over high threads can cause damage to Your Router.
So, Use the tool With Limitation. Do with Normal threads (500–2000). It takes Time, But Remember, Fast is Safer than Over Fast..!!!!
8.Sub-Of-Subdomains Enumeration:
The Root Domain is not only contains the Subdomains, It’s Also contains the Subdomains Of Subdomains. Some Of this type of Subdomains were Already Gathered in Previous Techniques. But It’s Good to Enumerate Sub-Of-Subdomains from the Subdomains. We will use Subdomains Scrapping Technique to Gather the Sub of Subdomains. We can done the Job With DNS Brute Force, But We Didn’t Perform DNS Brute force, Because the Next Technique will Contains the DNS Brute force and another Super Technique(Subdomains Permutation/Alteration).
Bash Script For Scrapping subdomains of Subdomains:
The Script in below , Contains the Tools Subfinder and Sublist3r. It will take the input from the file and Scrape for the Sudomains. If you want to add more tools then you can simply edit the code and add it or Comment out.
#!/bin/bash
#An Bash Script for Find the sub-Of-Sub domains
if [ $# -ne 1 ]; then
echo "Usage:$0 subdomains-file "
echo "Example:$0 subdomains.txt"
exit 1
fi
echo ''
echo "The Script Will Find Subdomains Of Given List of Subdomains Or Domains By Using These Tools: Subfinder And Sublist3r "
for subs in $(cat $1);do
subfinder -d $subs -all -o subfinder_temp_out.txt
#replace the "$HOME/tools/subhunt/Sublist3r/sublist3r.py" with your Sublist3r tool location.
python3 $HOME/tools/subhunt/Sublist3r/sublist3r.py -d $subs -o sublist3r_temp_out.txt
cat subfinder_temp_out.txt sublist3r_temp_out.txt >> all_temp_subdomains.txt
done
#Finally Removing the duplicates..
sort -u all_temp_subdomains.txt > all_sub_of_subdomains.txt
echo ""
rm all_temp_subdomains.txt subfinder_temp_out.txt sublist3r_temp_out.txt
echo "All sub Of Subdomains are Saved In all_sub_of_subdomains.txt"
echo ""
#Script DoneSetup And Usage:
#Setup:
#Replace the "$HOME/tools/subhunt/Sublist3r/sublist3r.py" with your Sublist3r Tool Location
python3 $HOME/tools/subhunt/Sublist3r/sublist3r.py -d $subs -o sublist3r_out.txt
#After Save the Script With ".sh" Extension
example: sub_of_subs.sh
#Give it the excecutable Permission
chmod +x sub_of_subs.sh
#Usage
./sub_of_subs.sh subdomains-file
#Example
./sub_of_subs.sh all-subdomains.txt
#Note:
The Errors like " cat:No Such file " And " rm:No such file " can Appears.
These error Ocuurs , When No sub of subdomains are Found And saved in the file.
So, Dont Care About them..!!🙃🙃9.Subdomains Permutation/Alterations:
This is Last Technique to Enumerate Subdomains. No matter, which methodology you used for Enumerate Subdomains. Always use the Subdomains Permutation as the last Technique In Subdomains Enumeration.
Subdomains Permutation Technique Work by Alter the Given Subdomains Names and enumerate More Subdomains. This Technique is Also Known As Dictionary Attack.
Tools:
Altdns →Generates Permutations, Alterations and Mutations of Subdomains and then Resolves Them.
Install, Setup And Usage:
#Install
pip3 install py-altdns==1.0.2
#Usage
altdns -i all_subdomains.txt -o permutated_subdomains.txt -w wordlist.txt -r -t 100 -s resolved_subdomain.txt
#Usage Explanation
-i ,--input : Input the file that conatains List of subdomains input
-o , --output : Output file location for altered subdomains
-w, --wordlist : wordlidt to alter the subdomains
-r, --resolve : Resolve all altered subdomains
-t, --threads : Amount of threads to run simultaneously
-s , --save : File to save resolved altered subdomainsAltdns Returns 6 Permutated Subdomains for given 1 word and 1 Subdomain in the Wordlist and Subdomains file. Example , if the Input subdomain File contains 1000 subdomains and the Wordlist contains 100 words, Then Altdns Will return 1000*100*6=60000 (6X subdomains of Given 1X Subdomain).
NOTE: If you don’t Aware to the Number of Subdomains and Wordlist, then You might Disturb the DNS Service And Damage it’s Availability. Because The tool will Resolve all the Altered Subdomains from DNS. So, Be careful When using this Resolver Tools(Not only Altdns). It Safe and Good to set the Thread value as Low..!!!
Quote For The Day:
Knowledge is being aware of what you can do. Wisdom is knowing when not to do it quotes — Confucius
Yeah..After Just Some Minutes😉 , We Got End. I know The Blog would Long, But remember , The More you know , The more You Earn…!!! Thanks for your Patience and Keep Staying at the End. I Always hope In this blog , You could learned Some New. If its true , then Give Claps👏 to the blog📜 and me💗. If any Questions and Updates for this Blog, Ask and Place them In comment section📝. Our Meeting will happens on the Next blog🤝.
