Subdomain Enumeration

Subdomain Enumeration

▪ Before start gathering subdomains for the site

let's talk first about what is subdomain
▪ Support you have site called example.com
▪ This example.com is called domain
▪ And anything related to it as test.example.com or
home.example.com or api.example.com or
admin.example.com
▪ They are all called subdoamins
Subdomain Enumeration

▪ What is the importance of gathering subdomains ?

▪ Gathering subdomains gives you large scope

and great ability of hacking
▪ The more you have subdomains , the more you have
vulnerabilities
Subdomain Enumeration

▪ Not all subdomains for the same target are hosted

on the same IP

▪ You can find subdomains Hosted on different IP

address

▪ We will know how to gather subdomains and use them

for hacking
Subdomain Enumeration

▪ The first site with us is called

Securitytrails.com
▪ This site gives you huge amount of
subdomains to your target

▪ And the second site is called :

▪ Subdomainfinder.c99.nl
Subdomain Enumeration

▪ The third site is called :

▪ https://shrewdeye.app/search

You should use all the three sites and gather

subdomains from them all then put these subdomains in
file
Subdomain Enumeration

▪ We also are gonna use tools to gather

subdomains related to the target as :
▪ Subfinder tool in linux terminal

▪ First install the tool from

▪ # apt install subfinder

▪ Always try to search for the tool and how to

install it
 Subdomain Enumeration

▪ Once you installed the tool you can use it to gather

subdomains as
▪ # subfinder –d mars.com -all --recursive

It will give you subdomains of mars.com

Subdomain Enumeration

But wait I need to make it more advanced ,

You can use api with subfinder to make it more
powerfull
Open the file
# ~/.config/subfinder/provider-config.yaml

You need to register and try to get apis from sites

Subdomain Enumeration

▪ Content
Subdomain Enumeration

▪ Once you put the apis try to make

subdomain enumeration again and see the difference

▪ # subfinder –d mars.com -all --recursive

Subdomain Enumeration

▪ The second tool is passive scan

▪ assetfinder
▪ # apt install assetfinder
▪ # echo "mars.com" | assetfinder --subs-only

Used --subs-only to get only subdomains and delete

emails or ips any anything else
Subdomain Enumeration

▪ Now you have 5 ways to get the subdomains of the

domain
▪ We will talk more about new ways and get hidden
secrets
Subdomain Enumeration

▪ Before talking about the next part let's see first

how we can make our own website on our server in
linux
▪ First you need to start apache
▪ # service apache2 start
▪ Once you started apache you can edit files in
▪ # cd /var/wwww/html
Subdomain Enumeration

▪ You can edit the file called index.html

▪ And that you can open your site by entering

▪ localhost
Or 127.0.0.1
But wait I need to make my site hossamshady.com
or any thing else
Subdomain Enumeration

▪ Here we will use hostname file and

tells it anyone need to go to
hossamshady.com please redirect him to 127.0.0.1 or
localhost

▪ What is in localhost or 127.0.0.1

▪ It is your site then when I go to hossamshady.com
▪ It will redirect me to apache and my site
Subdomain Enumeration

▪ Where is the file that I

can add hossamshady.com over 127.0.0.1

▪ # nano /etc/hosts
▪ Then add line
hossamshady.com 127.0.0.1

Then save the file CTRL+O => enter => CTRL+X

Subdomain Enumeration
Subdomain Enumeration

▪ Now let's try to go to hossamshady.com or the site

you put , you will find your site
▪ Then what happened :
▪ When I try to go to hossamshady.com the linux will
redirect me to localhost with ip 127.0.0.1

▪ That called virtual host

Subdomain Enumeration

▪ Let's talk about Virtual host in Subdomain

enumeration and how you can reach hidden secrets

▪ Virtual host is used inside companies to make

subdomains but reachable only by clients inside the
company not anyone else
▪ We need to access these sites what to do
Subdomain Enumeration

▪ We will use Virtual host Technique

▪ We will fuzz the ip to know all subdomains hosted
on it and then try to find that hidden sudomain
▪ We will use tool called ffuf

You can install it by

# apt install ffuf
Subdomain Enumeration

▪ Let's see how to use it to get hidden subdomains

▪ First we need list of subdomains to fuzz and guess
from it
▪ You can download this wordlist from google
▪ Just search for (subdomain wordlist)
▪ Or you can download wordlist from
▪ https://github.com/danielmiessler/SecLists
Subdomain Enumeration

▪ To download that wordlist from github you need

to click on the icon code

Then copy the link

Subdomain Enumeration

▪ After coping the link go to your terminal and

# git clone https://github.com/danielmiessler/SecLists.git

After downloading it you can find directory called SecLists

 Subdomain Enumeration

▪ Once you downloaded the wordlist lets use ffuf to get

hidden subdoamins
▪ We will try to fuzz site called ffuf.me
▪ # ffuf -u http://ffuf.me -
w SecLists/Discovery/DNS/subdomains-top1million-110000.txt -
H "Host: FUZZ.ffuf.me"

After doing that you will find large number of fake subdomains
but let's filter them by -fs 1495 as that is the size of fake
subdoamins
Subdomain Enumeration
 Subdomain Enumeration

▪ The final shape is :

▪ # ffuf -u http://ffuf.me -w SecLists/Discovery/DNS/subdomains-
top1million-110000.txt -H "Host: FUZZ.ffuf.me" -fs 1495
 Subdomain Enumeration

▪ The final shape is :

▪ # ffuf -u http://ffuf.me -w SecLists/Discovery/DNS/subdomains-
top1million-110000.txt -H "Host: FUZZ.ffuf.me" -fs 1495
Subdomain Enumeration

▪ After while you will find subdomain called

redhat then the full subdomain is redhat.ffuf.me

Let's browse it in firefox and see

Subdomain Enumeration
Subdomain Enumeration

▪ Observe you can't get into the site because it is

private for Company Clients
▪ What to do …
▪ First you need to know the ip for the domain
ffuf.me
▪ Once you have the ip then go to /etc/hosts and put
ip for redhat.ffuf.me and see
Subdomain Enumeration

▪ To know the Ip you can type

▪ # ping ffuf.me
▪ Then the ip is : 159.65.212.111
Take this ip and open
# nano /etc/hosts
Then put the line
159.65.212.111 redhat.ffuf.me
Subdomain Enumeration
Subdomain Enumeration

▪ Now save the file and go back to firefox and let's

try to access
redhat.ffuf.me
It will work properly
 Subdomain Enumeration

▪ Let's work for bigger companies and how to gather subdomains

for CIDR or range of IPs

▪ We can use tool called amass to get the subdomains of CIDR

▪ # apt install amass
▪ Or
▪ # go install -v github.com/owasp-amass/amass/v4/...@master
▪ # cp ~/go/bin/amass /usr/local/bin
Subdomain Enumeration

▪ Use the command :

▪ # amass intel -active -cidr 159.69.129.82/32

▪ It will get the all subdomains in this CIDR

Subdomain Enumeration

▪ What if you need to know the ASN of the company and

need to gather subdomains using ASN
▪ # amass intel -org "Tesla"
▪ It will give you ASN of the company or you can
search for ASN for company in google

▪ Once you got ASN of the company then :

Subdomain Enumeration

▪ #amass intel -active -asn 394161

Subdomain Enumeration

▪ With that you knew how to gather subdomains from

CIDR and ASN

▪ Lets see how to arrange these subdomains in file

and what to do after that
▪ First you need to remove anything except the
subdomains , remove spaces , numbers ...
Subdomain Enumeration

▪ We will use text editor or visual studio code to

filter the subdomains
▪ Try to remove anything and leave only subdomains ,
▪ Try to use regex to help you ...
Subdomain Enumeration

▪ Then collect all subdomains and put them in file in

terminal
▪ # nano file.txt
▪ And then put all subdomains and save
▪ Then we need to remove duplicate subdomains …
▪ # cat file.txt | anew
▪ => anew is tool in linux that remove all
duplicate lines
Subdomain Enumeration

▪ Once you used the tool and removed the

duplicate then open new file and put the final
result inside it and save
▪ Then we can use httpx to see what subdomains are
valid or not
▪ # cat subs.txt | httpx
Subdomain Enumeration

▪ In the coming lecture we will know more about

hacking and what to do after that

▪ Visit :
▪ https://hossamshady.medium.com/best-recon-
methodology-b0e78c9dfd57
Subdomain Enumeration

▪ Questions