What is Subdomain Enumeration?
Subdomain enumeration is the process of finding valid sub-domains for one or more domain.
Sub-domain enumeration can reveal a lot of domains/sub-domains that are in scope of a security assessment which in turn increases the chances of finding vulnerabilities.
There are Passive and Active enumeration technics :
- Using search engines
- ASN Discovery
- Using public dataset
- Certificate Transparency
- Using 3rd party Aggregators
- SAN (Subject Alternate Name)
- DNS enum using cloudfare
- Bruteforce/Dictionary Enumeration
- HTTP Headres
- Zone transfers
- Zone walking (DNSSEC)
- DNS records
- DNS Cache Snooping
Search engines for enumeration
Most of the major search engines provides advanced search operators to refine search results called “Google dorks”. Read our post about Dorking.
An ASN lookup is the act of querying the different RIR’s databases(Regional Internet Registry) in order to get information about an Autonomous System Number (ASN). Some tools for IP to ASN lookup are Cymru ASN Lookup, he.net
There are also tools available for ASN to IP lookup. eg: nmap script
Certificate Transparency project is meant to log, audit, and monitor certificates that Certificate Authorities (CA) issue. SSL/TLS certificates generally contain domain names, sub-domain names and email addresses. These logs are available publicly and anyone can look through these logs. There are CT search engines like cert.sh, censys.io, google transparency report, Facebook tool.
Using 3rd party services
We can also use 3rd party services that collects DNS enumeration details for our information gathering. VirusTotal runs its own passive DNS replication service. By selecting the third-party sites, the enumeration process can be optimized. More results will be obtained with less time required. Some of them are :
The Subject Alternative Name (SAN) is an extension that allows users to specify additional host names for a single SSL certificate. It is possible to extract domain names from SAN field of the SSL/TLS certificate. Appsecco’s python script is usefull tool for this kind of enumeration.
We can use cloudfare to dig through DNS data. “Add site” section in the cloudfare can be used to leak such information. There are automated scripts available for this.
Brute force/Dictionary Enumeration
We can use brute-force techniques to find valid subdomain informations of a domain using dictionary of subdomains, permutations method etc. Main tools used are Subbrute, DNSRecon, Altdns. For performing this technique all we have to do is to give a name list and it will try to resolve the A,AAA and CNAME records against the domain by trying each entry one by one.
Content Security Policy(CSP) in the HTTP header may allows you to create a whitelist of sources of trusted subdomain informations. we can access it by using curl. Automated scripts are also available.
$ curl --head -s -L https://example.com | grep -iE 'Content-Security|CSP'
DNS Zone Transfers
Zone transfer is the process of copying the contents of the zone file on a primary DNS server to a secondary DNS server. It is one of the many mechanisms available for administrators to replicate DNS databases across a set of DNS servers. If zone transfers are not securely configured, anyone can initiate a zone transfer against a nameserver and get a copy of the zone file. By design, zone file contains a lot of information about the zone and the hosts that reside in the zone.
To initiate an AXFR zone-transfer request from a secondary server we need to get the list of DNS servers for the domain:
$ dig +short ns vulnarabledomain.come
Now, we can get initiate an AXFR request to get a copy of the zone from the primary server:
$ dig +multi AXFR @ns1.vulnarabledomain.com vulnarabledomain.com
Zone Walking (DNSSEC NSEC Records)
Zone Walking is a technique that is used by attackers to enumerate the full content of DNSSEC-signed DNS zones if zone is not configured properly. The information obtained can help us to map network hosts by enumerating the contents of a zone. DNSRecon is a useful tool for Zone walking.
DNS Cache Snooping
DNS cache snooping is occurred when the DNS server has a specific DNS record cached. This DNS record will often reveal plenty of information.However DNS cache snooping is not happening very often. DNSRecon can be used to perform cache snooping :
$ ./dnsrecon.py -t snoop -n Sever -D <Dict>
Tools for Subdomain Enumeration
The OWASP Amass Project is very useful tool especially for passive DNS enumeration.
To discover subdomains that belong to a given domain :
$ amass --passive -d <TARGET-DOMAIN>
MassDNS is a simple high-performance DNS stub resolver targeting those who seek to resolve a massive amount of domain names.
It includes a Python script allowing you to resolve all IPv4 PTR records:
$ ./scripts/ptr.py | ./bin/massdns -r lists/resolvers.txt -t PTR -w ptr.txt
MassDNS allows you to brute force subdomains using the included
$ ./scripts/subbrute.py lists/names.txt example.com | ./bin/massdns -r lists/resolvers.txt -t A -o S -w results.txt
As an additional method of reconnaissance, the
ct.py script extracts subdomains from certificate transparency logs by scraping the data from crt.sh:
$ ./scripts/ct.py example.com | ./bin/massdns -r lists/resolvers.txt -t A -o S -w results.txt
Altdns is a DNS recon tool that allows for the discovery of subdomains through alterations and permutations. uasge:
$ altdns -i subdomains.txt -o data_output -w words.txt -r -s results_output.txt
To perform standard DNS enumeration with the DNSRecon the command that we have to use :
$ ./dnsrecon.py -d <domain>
DNSRecon provides the ability to perform enumeration via Zone Transfers with the commands :
$ ./dnsrecon.py -d <domain> -a
$ ./dnsrecon.py -d <domain> -t axfr
DNSRecon can perform a reverse lookup for PTR (Pointer) records against IPv4 and IPv6 address ranges.To run reverse lookup enumeration the command
$ ./dnsrecon.py -r <startIP-endIP>
Reverse DNS lookup can be performed against all ranges in SPF records with the command :
$ ./dnsrecon.py -d <domain> -s
In order to run the Domain Name Brute-Force we need to type:
$ ./dnsrecon.py -d
-D <namelist> -t brt
The command that can be used in order to perform cache snooping is the following:
$ ./dnsrecon.py -t snoop -n Sever -D <Dict>
In order to perform the zone walking we need to type the command:
$ ./dnsrecon.py -d <host> -t zonewalk
Subdomain enumeration is an important part of reconnaissance which helps to increase the scope of a security assessment which in turn increases the chances of finding vulnerabilities.
Passive OSINT sources are fast and more efficiant compared to terminal based tools useful for generating live subdomains list.