Hey everyone, Welcome to pentestguy, In this article, we are going to focus on the subdomain enumeration in detail, but it will be in an automatic way where we are combining different tools and trying to gather subdomains as much as possible.
Why is Subdomain Enumeration required?
The answer to this question is simple, an organization may have different products/services for internal or external use, where it runs on the subdomains instead of the main domain. In most cases, the main domain is almost secure, but it is possible to lose focus from the subdomains as different teams work on different things. Sometimes it will be easy to find the vulnerabilities on the subdomains, and it also increases the scope of penetration testing/bug hunting.
Subdomain enumeration can be categorised into two parts, passive and active enumeration.
Passive Enumeration
Passive enumeration techniques rely on the third-party data source, that is, without direct interaction with the target’s infrastructure. It includes some of the below techniques.
Chaos – It’s a Public Bug Bounty Data by project discovery.
Public Database Lookups – Searching subdomains from shodan, virus total, censys, etc
Search Engine Queries – Using dorks like google dorking or bing dorking.
SSL & TLS Certificates – Finding issued certificates from crt.sh
Security Trails & Historical Data – Checking past DNS records.
Below is the list of my favourite tools for passive subdomain enumeration.
Tools
To install/download the tools, you need to set up go language, if you are not sure about it, follow the video below first.
After setting up all the tools, use the bash script below for automation. Save the bash script as passive.sh, also make sure to provide the token/api key for shodan, gitlab, and github. Well, you can also run the solo amass and sublist3r for more results.
#!/bin/bash
# Prompt for the target domain
read -p "Enter the target domain: " target_domain
# Create an output file for subdomains
output_file="$target_domain.txt"
# Step 1: Perform initial passive scans and deduplicate with anew
echo "Generating unique subdomains for $target_domain..."
subfinder -d "$target_domain" -silent | anew -q "$output_file"
findomain --quiet -t "$target_domain" | anew -q "$output_file"
cero -d "$target_domain" | anew -q "$output_file"
shosubgo -d "$target_domain" -s Shodan_Token | anew -q "$output_file"
gitlab-subdomains -d "$target_domain" -t Gitlab_Token | anew -q "$output_file"
# Run github-subdomains and extract only subdomains
echo "Running github-subdomains and extracting subdomains..."
github-subdomains -d "$target_domain" -t Github-Token \
| awk '/^[a-zA-Z0-9.-]+\.[a-zA-Z]{2,}$/ {print $1}' \
| anew -q "$output_file"
# Final deduplication (if necessary)
sort -u "$output_file" -o "$output_file"
echo "Subdomain enumeration completed. Results saved in $output_file."Active Enumeration
Active subdomain enumeration techniques directly interact with the target infrastructure. Some time targets may block our IP due to lots of requests, make sure to use them properly.
Tools
After installation of all the tools above, save the below bash script, which will be an input for the active enumeration(DNS resolution). And make sure to take care of the below points.
1. subdomains.txt is the file needed from the passive enumeration, if you are not running the bash script for passive enumeration, then run any of the tools and save the output as subdomains.txt
2. As regulator is not an executable, make sure to configure/install it by using these instructions – https://github.com/cramppet/regulator and also add an alias in .bashrc given below.
alias regulator=’python3 /path of regulator directory/main.py’
Permutations and Combination Script
#!/bin/bash
read -p "Enter the target domain:" domain;
# Run all tools and store outputs in temporary files
altdns -i subdomains.txt -o tmp-altdns.txt -w ~/wordlist/best-dns-wordlist.txt
dnsgen --wordlist ~/wordlist/best-dns-wordlist.txt subdomains.txt > tmp-dnsgen.txt
gotator -sub subdomains.txt -perm ~/wordlist/best-dns-wordlist.txt > tmp-gotator.txt
regulator -t $domain -f subdomains.txt -o tmp-regulator.txt
# Combine all outputs into a final file and use 'anew' for uniqueness
cat tmp-altdns.txt tmp-dnsgen.txt tmp-gotator.txt tmp-regulator.txt | anew > final-output.txt
# Clean up temporary files
rm tmp-altdns.txt tmp-dnsgen.txt tmp-gotator.txt tmp-regulator.txt
echo "Subdomain enumeration completed. Results saved in final-output.txt"You need a resolver. Use the dnsvalidator, which will help validate the subdomains using different tools like shuffledns, puredns, and dnsx.
Note – Run Dnsvalidator around 5-10 minutes.
dnsvalidator -tL https://public-dns.info/nameservers.txt -threads 20 -o resolvers.txtValid subdomains using shuffledns
shuffledns -l final-output.txt -r resolver.txt -o shuffle_result.txtValid subdomains using puredns
cat final-output.txt | puredns resolve --resolvers ~/wordlist/resolvers.txt --write alive.txtIt’s up to you which tools you want to use to validate the subdomains. Feel free to customise the given scripts according to your requirements.
Brute Force
Brute force is another way of performing the subdomain enumeration, which comes under active enumeration. You can use different tools to perform brute force for subdomain enumeration, some of the examples given below.
1. Fuzzing with ffuf
ffuf -w wordlist.txt -u http://example.com/ -H "Host: FUZZ.example.com"2. Fuzzing with Gobuster
gobuster dns -d target.com -w /usr/share/wordlists/dirb/common.txt3. Fuzzing with shuffledns, make sure to generate the resolvers.txt file from dnsvalidator.
shuffledns -d example.com -w best-dns-wordlist.txt -r resolvers.txt -o shuffledns_result.txtThat’s all about this post. Please share this post with your co-workers and friends if you found it helpful. Please provide valuable comments and let us know if you have any suggestions. Now, you can also collaborate with us. Please check our collaboration page. Thank you!
