Restart Do Again Repeat
Subdomains Enumeration techniques and weekly updates
Hello, guys I know I am late :) My consistency is not that good, but I am trying to improve it soon. While I was off, I was working on improving my skills. I am going to tell this in this blog, but today’s topic is subdomains.
Yeah, I have read a lot about subdomains and how to find them like a pro.
In this blog, I am gonna talk about:
- What did I do this week (month)
- Subdomain - what is it? :)
- Different Techniques to find subdomains
- How to always improve in the subdomain game :)
- Next week - GraphQL
What did I do last month?
While I try to stay away from Twitter, I have never been so active on Twitter because it causes FOMO and controversies bla bla. However, I joined Twitter specifically to get security researcher tips and blog updates.
Reading both API Testing Book and Black Hat GraphQL - I suggest you all read it. It is awesome! Next week, I am gonna talk about GraphQL and other things that I learned.
Guys, the last PII that I asked Frey and submitted was a N/A from the company :(. Let’s see if I can catch other bugs this month or not.
Projects
Yo, I do a side hustle and sell projects to final-year students for their final-year projects. So this month, I got 3 clients hehe!
Discord
Hey, you still have not joined the Discord? Join the Discord! I have added automated writeups, disclosed reports, and 0-day updates :)
Join here
Subdomain - What is it? :)
A subdomain is part of a prefix added in the front of a domain :) Yeah, it’s a part of the same domain, but it is used for creating a new website.
Examples:
- Mail: smtp.example.com
- FTP: ftp.example.com
- Sub: sub.example.com
So the subdomain is like a new website for hosting services, protocols, backend stuff, CDNs, etc.
A web developer or system admin uses the server address and AAA records in the Domain Name System (DNS) for adding a new subdomain with the prefix name.
Different Techniques to Find Subdomains
- Certificate Parsing
- Bruteforcing but with permutation
- Google Dorking
- Services to find manually
- Subject Alternate Name (SAN)
- GitHub Subdomain Finding
- Tools
Certificate Parsing
Certificate Parsing OR Certificate Transparency is a technique used to find SSL/TLS certificates from websites for getting the subdomains of the current domain certificates. It’s a passive search though, it finds a hell lot of results easily.
BTW, it was created to improve the security of SSL/TLS certificates by making them publicly available by Google.
In CT, any SSL/TLS certificate created by the issued Certificate Authority (CA) is made public in Certificate Transparency Logs (CTL). Later, we can fetch these CTLs for finding more subdomains using passive techniques.
Services to get all subdomains easily:
Automation
I have automated crt.sh to find subdomains easily for matching domains. You can do it manually, but automate boring and repetitive tasks!
Note: Read the code before you run it. You need to create a domains.txt file containing domains like target.com. The script will save the output in subdomains/sub2.txt.
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
#!/bin/bash
Domain() {
local requestsearch
requestsearch="$(curl -s "https://crt.sh?q=%.$1&output=json")"
if jq empty <<< "$requestsearch" 2>/dev/null; then
echo "$requestsearch" | jq -r '.[].name_value' | sed 's/\*\.//g' | sort -u
else
echo "No valid JSON response from crt.sh for $1" >&2
return 1
fi
}
mkdir -p subdomains
echo "Running crt.sh enumeration..."
while IFS= read -r domain || [[ -n "$domain" ]]; do
echo "Processing domain: $domain"
if Domain "$domain" >> subdomains/sub2.txt; then
total_domains=$(wc -l < subdomains/sub2.txt)
echo "[+] Total Saved: $total_domains Domain(s) only"
else
echo "Error processing $domain" >&2
fi
echo ""
sleep 1 # Add a delay to avoid rate limiting
done < domains.txt
echo "crt.sh enumeration completed"
Bruteforcing but with Permutation :)
Bruteforcing is like filling the blanks, but when you don’t know what to fill, you use brute force to check if it’s correct or not.
Instead of classical brute-forcing, I read about permutation-based subdomain discovery and found a tool called ripgen.
Written in Rust, it finds unique names like staging.target.com that are not simply found in DNS or other enumeration methods.
Repo: Ripgen - GitHub
We can use dnsx to filter only active and working subdomains:
1
2
cat sub.txt | ripgen > ripgen_domains.txt
cat ripgen_domains.txt | dnsx -t 1000 -silent -o ripgen-results.txt
You will have many new subdomains even faster!
Google Dorking
Google Dorking is a technique for filtering search engine results using search operators.
Example:
1
site:*.example.com
*- Wildcard to find subdomainssite:- Tells the search engine to search within the website
Useful Links:
GitHub Subdomain Finding
GitHub repositories might contain sensitive information, including subdomains.
Search Query:
1
repo:reponame OR org:organization_name "*domain.com"
I found an awesome tool: GitHub-Subdomains
It uses GitHub API tokens to extract subdomains from repositories. I modified it according to my needs!
Tools for Subdomain Enumeration
- Subfinder
- Amass
- crt.sh
- GitHub Subfinder
Note: Always use API keys! If you don’t configure tools with APIs from different services, you might miss 30-40% of subdomains.
Conclusion :)
Most people think recon is a waste of time, but without proper information gathering, testing isn’t effective.
Proper testing methodology:
- Information Gathering
- Website Mapping
- Exploitation
- Post-Exploitation
- Report
Hope you guys learned something new! See you next week :)
Next week, I am gonna talk about GraphQL!
Keep learning, and most importantly, follow your passion! :)
Peace out ✌️