The Hunt for Subdomains: A Guide to Subdomain Enumeration

June 21, 2022
Christian Bohren
5 min read

We will leave their primary domain behind, we will pass through the SOC patrols, past their firewalls, and lay off their largest application, and listen to their web traffic... while we conduct Subdomain Enumeration!

Introduction

Subdomain enumeration is the process of finding valid sub-domains (ex: tv.youtube.com) for one or more domains (youtube.com). In this post, we'll walk through why subdomain enumeration matters, and how to perform it using today's top methods.

There are two types of Subdomain Enumeration Techniques: Passive and Active. This article will take a deep dive into Passive Subdomain Enumeration.

What is Passive Subdomain Enumeration?

In Passive Subdomain Enumeration, a pentester or an ethical hacker does not directly attack the organization's infrastructure, but gathers information from third-party sources like VirusTotal, DNSDumpster, Cloudflare, Google Dorks. This enumeration approach does not generate noticeable traffic and is unlikely to be detected by a firewall.

Passive Subdomain Enumeration Techniques:

  1. Google Dorking
  2. Autonomous System Number (ASN) Lookups
  3. Subject Alternative Name (SAN)
  4. Content Security Policy (CSP) Headers
  5. Third-party services
  6. Amass
  7. Certificate Transparency
  8. Internet Archives

1. Google Dorking

Google Dorks are one of the best ways to find extenstive information about a target. Google's search operators make it easy to narrow down the search to find more subdomains.

We can use the "site" operator in the search bar to find all the subdomains that Google has indexed for a domain. Google also supports the minus operator to exclude any subdomains we are not interested in.

2. Autonomous System Numbers (ASN)

ASN is a globally unique identifier that defines a group of one or more IP prefixes run by one or more network operators. Finding ASNs will let us identify an organization's Classless Inter-Domain Routing (CIDR) blocks, which will give us valid domains. There are various tools we can use to find ASNs.

Two such tools are:

https://asn.cymru.com/cgi-bin/whois.cgi

https://bgp.he.net/

Just enter the IP address of the organization, and you will find the ASN. After discovering the ASN, you can use Amass to find the netblocks assigned to it.

amass intel -asn <ASN_ID> -ip

3. Subject Alternative Name (SAN)

A Subject Alternative Name or SAN is a digital certificate that allows multiple subdomains to be protected by a single certificate. We can make use of this certificate to find more subdomains. We can use the OpenSSL client to find them, but the process is tricky, fortunately, there’s a fantastic script available to do the work for us:

https://github.com/appsecco/the-art-of-subdomain-enumeration/blob/master/san_subdomain_enum.py

Once you’ve installed the python script, run it against the targeted domain as below:

python3 san.py <domain>

4. CSP Headers

The Content Security Policy header is a critical security header for all web applications to defend from XSS and SSRF attacks. Still, the CSP policy also contains subdomains that require access for various resources and API calls. You can use the following curl command to extract CSP headers for a given URL.

curl --head -s -L paypal.com | grep -iE "Content-Security-Policy|CSP"

5. Third-Party Services

Many third-party services are available on the internet that aggregate massive DNS datasets and their information. We can use these third-party services for our passive enumeration. Some third-party services are

1. VirusTotal

2. DNSDumpster

3. Findomain

VirusTotal

Virustotal runs its own passive DNS replication service by storing DNS resolutions performed when visiting URLs submitted by users. To retrieve the information of a domain, you just have to put the domain name in the search bar.

Url: https://www.virustotal.com/gui/home/search

DNSDumpster

DNSDumpster is another fantastic tool to find subdomains for a given domain. All you have to do is enter your domain in the search bar.

Findomain

Findomain is a very fast subdomain enumeration tool. It has a paid version that supports monitoring, integration with nuclei, and reporting. To use Findomain, execute the following commands:

git clone https://github.com/findomain/findomain.git
cd findomain
cargo build --release
sudo cp target/release/findomain /usr/bin/
findomain -t domain.com

6. Amass

Amass is one of the best subdomain enumeration tools available in the market. Its efficiency and vast sources make it a must-have tool for subdomain enumeration. Amass supports various modes for different purposes, and we can use the passive mode for passive enumeration.

Command: amass enum --passive -d edmodo.com

7. Certificate Transparency

Certificate Transparency (CT) is a project under which a Certificate Authority (CA) has to publish every SSL/TLS certificate they issue to a public log. An SSL/TLS certificate usually contains domain names, sub-domain names, and email addresses. This makes them a treasure trove of information for attackers.

Few sites which collect CT logs are listed below:

  1. https://crt.sh/
  2. https://censys.io/
  3. https://developers.facebook.com/tools/ct/

The disadvantage of using CT for subdomain enumeration is that there is a possibility that the domain names found in the logs may not exist anymore and thus can't be resolved to an IP address. So, you can use MassDNS in conjunction to resolve the domain names quickly!

8. Internet Archives

Internet Archives store large amounts of data starting from establishing a website. These archives crawl and index each website on the internet, gathering a tremendous amount of information. Some of the best archives are listed below:

  1. https://otx.alienvault.com/
  2. http://index.commoncrawl.org/
  3. http://web.archive.org/

Gauplus and waybackurls are two tools that make use of these archives and provide us with URLs, JS, and CSS endpoints. Ycan make use of any one of them to first gather endpoints and then pass them to unfurl for finding the domains.

Install the Gauplus using the following command:

GO111MODULE=on go get -u -v github.com/bp0lr/gauplus

Install Unfurl using the following commands:

wget https://github.com/tomnomnom/unfurl/releases/download/v0.0.1/unfurl-linux-amd64-0.0.1.tgz
tar xzf unfurl-linux-amd64-0.0.1.tgz
sudo mv unfurl /usr/bin/

Next, use Gauplus to gather information from the archives using the following command:

echo "domain.com" | gauplus > info.txt

Once you have the endpoints, all you need to do is pass the info.txt to Unfurl like the below command:

cat info.txt | unfurl domains

If unfurl finds any domains, then it will immediately list them out on your terminal. Internet archives, though, store a lot of information like JS, CSS, and error endpoints. They may not give you as many subdomains as the previous techniques.

Conclusion

Now you can use many passive subdomain enumeration techniques to find subdomains.Stay tuned to the writings, for more information check out our other posts below!

Let's Get Started

Book a time to chat about your security needs.
* Indicates a required field.
Thank you! Your submission has been received!
Oops! Something went wrong while submitting the form.