During a pentest on a web server it can certainly be useful to enumerate the victim’s domain to see if there are any subdomains, in order to test everything.
To do this you can use the following main methods:
— Dns zone transfer —
With this method it is possible to take advantage of the “DNS zones transfer” which in simple terms would be the exchange of records between DNS servers belonging to a specific zone. This exchange occurs whenever there is a change in the database of records.
It is therefore easy to understand that for an attacker the “DNS zone transfer” is an excellent weapon to obtain invaluable information from the victim.
The command I use in these cases is “dig“. Let’s see its basic functions:
dig domain.com NS
This command lists the authoritative servers for “domain.com”. The result will be:
... ... ;; ANSWER SECTION: domain.com. 3600 IN NS (nameserver). ... ...
To proceed with the enumeration the “nameserver” is useful.
Now, to test the “DNS zone transfer”, we can use the following command:
dig @nameserver domain.com axfr
“axfr” is the query we made to the “nameserver” which includes the “DNS zone transfer”. In the result we see subdomains with their IP addresses.
... ... domain.com. 86400 IN A IP_ADDRESS admin.domain.com. 86400 IN A IP_ADDRESS blog.domain.com. 86400 IN A IP_ADDRESS ... ... ...
Another useful command to enumerate “DNS zone transfer” is “nslookup“:
nslookup -query=NS domain.com
To find nameserver. And:
nslookup -query=axfr domain.com nameserver
To see if “DNS zone transfer” is active.
— Bruteforce subdomains —
Another useful method to enumerate subdomains is bruteforce subdomains. I use “wfuzz” comand to do this:
wfuzz -w /WORDLIST_PATH/WORDLIST_FILE.TXT -u http://domain.com -H "Host:FUZZ.domain.com" --hw 9
- -w = wordlist file
- -u = URL
- -H “Host:FUZZ.domain.com” = header, in which “FUZZ” is the location to test the wordlist file
- – -hw 9 = it is useful to not show all the scans during the execution of the command but only those with positive results
— Google Dorks —
Google search allows you to use filters which, if used well, can be very useful.
In order to enumerate any subdomains the Google filter that can help us is “site:“.
Typing site:domain.com in the google search box will reveal all the subdomains (from domain.com) that Google knows:
Other search engines also have their own filters that do the same thing.
In conclusion, here I have explained some of the main tools but searching the web there are an infinity of them that do the same things.