How to enumerate subdomains

During a pentest on a web server it can certainly be useful to enumerate the victim’s domain to see if there are any subdomains, in order to test everything.

To do this you can use the following main methods:

Dns zone transfer

With this method it is possible to take advantage of the “DNS zones transfer” which in simple terms would be the exchange of records between DNS servers belonging to a specific zone. This exchange occurs whenever there is a change in the database of records.

It is therefore easy to understand that for an attacker the “DNS zone transfer” is an excellent weapon to obtain invaluable information from the victim.

The command I use in these cases is dig“. Let’s see its basic functions:

dig domain.com NS

This command lists the authoritative servers for “domain.com”. The result will be:

...
...
;; ANSWER SECTION:
domain.com.               3600    IN      NS      (nameserver).
...
...

To proceed with the enumeration the “nameserver” is useful.

Now, to test the “DNS zone transfer”, we can use the following command:

dig @nameserver domain.com axfr

“axfr” is the query we made to the “nameserver” which includes the “DNS zone transfer”. In the result we see subdomains with their IP addresses.

...
...
domain.com.		86400	IN	A	IP_ADDRESS
admin.domain.com.	86400	IN	A	IP_ADDRESS
blog.domain.com.        86400	IN	A	IP_ADDRESS
...
...
...

Another useful command to enumerate “DNS zone transfer” is “nslookup“:

nslookup -query=NS domain.com

To find nameserver. And:

nslookup -query=axfr domain.com nameserver

To see if “DNS zone transfer” is active.

Bruteforce subdomains

Another useful method to enumerate subdomains is bruteforce subdomains. I use “wfuzz” comand to do this:

wfuzz -w /WORDLIST_PATH/WORDLIST_FILE.TXT -u http://domain.com -H "Host:FUZZ.domain.com" --hw 9

Where:

  • -w = wordlist file
  • -u = URL
  • -H “Host:FUZZ.domain.com” = header, in which “FUZZ” is the location to test the wordlist file
  • – -hw 9 = it is useful to not show all the scans during the execution of the command but only those with positive results
— Google Dorks —

Google search allows you to use filters which, if used well, can be very useful.

In order to enumerate any subdomains the Google filter that can help us is “site:“.

Typing site:domain.com in the google search box will reveal all the subdomains (from domain.com) that Google knows:

site:domain.com

Or also:

site:*.domain.com

Other search engines also have their own filters that do the same thing.

Conclusions

In conclusion, here I have explained some of the main tools but searching the web there are an infinity of them that do the same things.

5 1 vote
Article Rating
Subscribe
Notify of
guest

0 Comments
Inline Feedbacks
View all comments