SUBDOMAIN ENUMERATION

 Subdomain enumeration is the process of finding subdomains within a website. This can be achieved via brute force, open source intelligence (OSINT) or virtual hosts. This 0xffsec subdomain enumeration handbook may be of use

Some examples of effective OSINT for subdomain enumeration are:

OSINT - Certificate Transparency

SSL/TLS (Secure /Sockets Layer/Transport Layer Security) certificates are created for a domain by a CA (Certificate Authority). When these are made, the CA records the certificates in certificate transparency logs, which are publicly available. This can be used as part of a pen test by checking the logs for any subdomains that have been registered. Sites like https://crt.sh and https://ui.ctsearch.entrust.com/ui/ctsearchui offer databases that can be searched. 


The example below shows the logs for domain names added to https://tryhackme.com




Brute Force - Automated tools

There are many tools for automating the enumeration of subdomains. In the example below a tool called DNSrecon was used, however geobuster can be used with a DNS bruteforce option using  gobuster dns -t 30 -w [wordlist] -d [ip]


OSINT - automated tools.

There are also tools for automating enumeration in a passive manner. For example sublist3r as used in the example below.



Virtual Hosts

Some subdomains aren't hosted publicly, such as development versions of a web app or those for internal use only. Instead the DNS records could be kept on developer machines (at /etc/hosts for Linux users or  c:\windows\system32\drivers\etc\hosts for windows users) which map domain names to IP addresses.

Multiple websites can be hosted on a single server, so when a client requests a website from a server the server looks at the Host header in order to determine which website to send back to the client. A penetration tester can utilise this feature by using a tool such as ffuf with a wordlist of commonly used subdomain names to enumerate for hidden subdomains. 




Comments

Post a Comment

Popular posts from this blog

BURPSUITE IN-DEPTH

Image
NOTE: This post will be a much deeper and in-depth dive in to some of the functionality of Burp Suite. If you need a quicker overview, please visit my  Burp Suite Basics  post.  Repeater The repeater function of Burp Suite allows us to take a request captured by Proxy, edit it and send the same request repetitively. This makes repeater ideal for any manual poking around at an endpoint. Basic Usage: The repeater interface can be split in the 6 main sections. Refer to the image above: List of requests that are going through Repeater. Controls for the current request, these allow us to send/cancel a hanging request and go forwards/backwards in a request history. Request/Response view. Requests are edited in the Request view and Responses will show up in the Response view. Allows us to change the layout for the Request and Response view. The inspector allows us to break requests apart and analyse and edit them in a more intuitive way than the raw editor. The IP address o...
Read more

PASSIVE AND ACTIVE RECONNAISSANCE

Image
In this post we will learn about passive and active reconnaissance. Passive reconnaissance lets us gather information about a target without any kind of direct engagement. Active reconnaissance requires us to make some kind of contact with out target. Some Passive Reconnaissance tools we will explore: whois nslookup dig DNSDumpster Shodan.io Some Active Reconnaissance tools we will explore: ping traceroute telnet nc Passive Reconnaissance In passive reconnaissance, we rely on publicly available knowledge that can be accessed without directly engaging the target. Passive recon may include: Looking up DNS records from a public DNS server Checking job ads related to the target website Reading news articles about the target company Visiting social media sites of the company or their employees Whois Whois is a request and response protocol that follows the  RFC 3192  specification. A whois server listens on port 43 for incoming requests. A domain registrar is responsible for mainta...
Read more

CROSS-SITE SCRIPTING

Image
Cross-Site Scripting (XSS) is an injection attack where malicious JavaScript gets injected into a web application with the intention of being executed by other users.  XSS Payloads In XSS the payload is the JavaScript code we wish to be executed on the targets machine. The payload is comprised of two parts, the intention and the modification. The intention is what the attacker intends the JavaScript to execute and the modification is the changes the attacker needs to do on the code to make it execute in each specific scenario.  Proof of Concept This is a simple payload in order to prove that an attacker can actually achieve XSS on a website: <script>alert('XSS');</script> Session Stealing Details of a users session, such as log in tokens are often kept in cookies on the targets machine. The below JavaScript takes the target's cookie, base64 encodes it to ensure successful transmission and then posts it to a website under the attackers control <script>fet...
Read more