Subdomains
Subdomain Enumeration
When exploring DNS records, we've primarily focused on the main domain (e.g., example.com) and its associated information. However, beneath the surface of this primary domain lies a potential network of subdomains. These subdomains are extensions of the main domain, often created to organize and separate different sections or functionalities of a website. For instance, a company might use blog.example.com for its blog, shop.example.com for its online store, or mail.example.com for its email services.
Why is this important for web reconnaissance?
Subdomains often host valuable information and resources that aren't directly linked from the main website. This can include:
Development and Staging Environments: Companies often use subdomains to test new features or updates before deploying them to the main site. Due to relaxed security measures, these environments sometimes contain vulnerabilities or expose sensitive information.Hidden Login Portals: Subdomains might host administrative panels or other login pages that are not meant to be publicly accessible. Attackers seeking unauthorised access can find these as attractive targets.Legacy Applications: Older, forgotten web applications might reside on subdomains, potentially containing outdated software with known vulnerabilities.Sensitive Information: Subdomains can inadvertently expose confidential documents, internal data, or configuration files that could be valuable to attackers.
Subdomain Enumeration
Subdomain enumeration is the process of systematically identifying and listing these subdomains. From a DNS perspective, subdomains are typically represented by A (or AAAA for IPv6) records, which map the subdomain name to its corresponding IP address. Additionally, CNAME records might be used to create aliases for subdomains, pointing them to other domains or subdomains. There are two main approaches to subdomain enumeration:
1. Active Subdomain Enumeration
This involves directly interacting with the target domain's DNS servers to uncover subdomains. One method is attempting a DNS zone transfer, where a misconfigured server might inadvertently leak a complete list of subdomains. However, due to tightened security measures, this is rarely successful.
A more common active technique is brute-force enumeration, which involves systematically testing a list of potential subdomain names against the target domain. Tools like dnsenum, ffuf, and gobuster can automate this process, using wordlists of common subdomain names or custom-generated lists based on specific patterns.
2. Passive Subdomain Enumeration
This relies on external sources of information to discover subdomains without directly querying the target's DNS servers. One valuable resource is Certificate Transparency (CT) logs, public repositories of SSL/TLS certificates. These certificates often include a list of associated subdomains in their Subject Alternative Name (SAN) field, providing a treasure trove of potential targets.
Another passive approach involves utilizing search engines like Google or DuckDuckGo. By employing specialized search operators (e.g., site:), you can filter results to show only subdomains related to the target domain.
Additionally, various online databases and tools aggregate DNS data from multiple sources, allowing you to search for subdomains without directly interacting with the target.
Each of these methods has its strengths and weaknesses. Active enumeration offers more control and potential for comprehensive discovery but can be more detectable. Passive enumeration is stealthier but might not uncover all existing subdomains. Combining both approaches provides a more thorough and effective subdomain enumeration strategy.
Subdomain Bruteforcing
Subdomain Brute-Force Enumeration is a powerful active subdomain discovery technique that leverages pre-defined lists of potential subdomain names. This approach systematically tests these names against the target domain to identify valid subdomains. By using carefully crafted wordlists, you can significantly increase the efficiency and effectiveness of your subdomain discovery efforts.
The process breaks down into four steps:
Wordlist Selection
The process begins with selecting a wordlist containing potential subdomain names. These wordlists can be:
General-Purpose: Containing a broad range of common subdomain names (e.g.,dev,staging,blog,mail,admin,test). This approach is useful when you don't know the target's naming conventions.Targeted: Focused on specific industries, technologies, or naming patterns relevant to the target. This approach is more efficient and reduces the chances of false positives.Custom: You can create your own wordlist based on specific keywords, patterns, or intelligence gathered from other sources.
There are several tools available that excel at brute-force enumeration:
Comprehensive DNS enumeration tool that supports dictionary and brute-force attacks for discovering subdomains.
User-friendly tool for recursive subdomain discovery, featuring wildcard detection and an easy-to-use interface.
Versatile tool that combines multiple DNS reconnaissance techniques and offers customisable output formats.
Actively maintained tool focused on subdomain discovery, known for its integration with other tools and extensive data sources.
Simple yet effective tool for finding subdomains using various techniques, ideal for quick and lightweight scans.
Powerful and flexible DNS brute-forcing tool, capable of resolving and filtering results effectively.
DNSEnum
dnsenum is a versatile and widely-used command-line tool written in Perl. It is a comprehensive toolkit for DNS reconnaissance, providing various functionalities to gather information about a target domain's DNS infrastructure and potential subdomains. The tool offers several key functions:
DNS Record Enumeration:dnsenumcan retrieve various DNS records, including A, AAAA, NS, MX, and TXT records, providing a comprehensive overview of the target's DNS configuration.Zone Transfer Attempts: The tool automatically attempts zone transfers from discovered name servers. While most servers are configured to prevent unauthorised zone transfers, a successful attempt can reveal a treasure trove of DNS information.Subdomain Brute-Forcing:dnsenumsupports brute-force enumeration of subdomains using a wordlist. This involves systematically testing potential subdomain names against the target domain to identify valid ones.Google Scraping: The tool can scrape Google search results to find additional subdomains that might not be listed in DNS records directly.Reverse Lookup:dnsenumcan perform reverse DNS lookups to identify domains associated with a given IP address, potentially revealing other websites hosted on the same server.WHOIS Lookups: The tool can also perform WHOIS queries to gather information about domain ownership and registration details.
Let's see dnsenum in action by demonstrating how to enumerate subdomains for our target, inlanefreight.com. In this demonstration, we'll use the subdomains-top1million-5000.txt wordlist from SecLists, which contains the top 5000 most common subdomains.
In this command:
dnsenum --enum inlanefreight.com: We specify the target domain we want to enumerate, along with a shortcut for some tuning options ``--enum`.-f /usr/share/seclists/Discovery/DNS/subdomains-top1million-5000.txt: We indicate the path to the SecLists wordlist we'll use for brute-forcing. Adjust the path if your SecLists installation is different.-r: This option enables recursive subdomain brute-forcing, meaning that ifdnsenumfinds a subdomain, it will then try to enumerate subdomains of that subdomain.