Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.
Enumerating Subdomains
Aadarsh
What is this about?
lMany a times it is a pain to figure out, how the hell
did he find this url to find the bug!
lDuring a...
What is DNS?
lDNS stands for domain name system
lDatabase responsible for storing all of the
information pertaining to IP ...
Lookup
lDatabase previously mentioned is called WHOis
database
lGive a domain name -> Get an IP Address (and if
possible o...
Reverse Lookup
lReverse DNS lookup is to obtain site registration
information of that IP address (if there is any)
lIf we ...
lDiscovered hosts may be virtual web hosts on a
single web server
l(OR)
lMay be distinct hosts on IP addresses
Easy way!
lGoogle Dorks!
lSite:google.com -inurl:www
lThis are already automated and there are tools for
this. Example: re...
Subbrute
lA python script
lA sample result:
lThis brute forces the prefix
nmap
lnmap --script dns-brute --script-args dns-
brute.domain=facebook.com,dns-brute.threads=6
lnmap -p 80 --script dns-br...
Other ways
lNetcraft
lDnsrecon
lDNSenum
ldnscan
On a different note
lS3 bucket discovery a recent finding of mine.
lfor url in $(cat list.txt);do curl
$url.s3.amazonaws.c...
lThank you!
Upcoming SlideShare
Loading in …5
×

Enumerating subdomains

208 views

Published on

A basic noob level guide for enumerating subdomains. Bash commands are missing in the ppt!

Published in: Technology
  • Login to see the comments

  • Be the first to like this

Enumerating subdomains

  1. 1. Enumerating Subdomains Aadarsh
  2. 2. What is this about? lMany a times it is a pain to figure out, how the hell did he find this url to find the bug! lDuring a professional security testing the phase is called Reconnaissance. lGetting as much additional information as possible about the target.
  3. 3. What is DNS? lDNS stands for domain name system lDatabase responsible for storing all of the information pertaining to IP addresses and domain names lBacked up by thousands of separate DNS servers and stored on single root DNS servers
  4. 4. Lookup lDatabase previously mentioned is called WHOis database lGive a domain name -> Get an IP Address (and if possible other details) is a lookup
  5. 5. Reverse Lookup lReverse DNS lookup is to obtain site registration information of that IP address (if there is any) lIf we type 216.58.197.46 into browser, we will be redirected to the site. lWell known stuffs!
  6. 6. lDiscovered hosts may be virtual web hosts on a single web server l(OR) lMay be distinct hosts on IP addresses
  7. 7. Easy way! lGoogle Dorks! lSite:google.com -inurl:www lThis are already automated and there are tools for this. Example: recon-ng , a tool for reconnaissance.
  8. 8. Subbrute lA python script lA sample result: lThis brute forces the prefix
  9. 9. nmap lnmap --script dns-brute --script-args dns- brute.domain=facebook.com,dns-brute.threads=6 lnmap -p 80 --script dns-brute.nse facebook.com
  10. 10. Other ways lNetcraft lDnsrecon lDNSenum ldnscan
  11. 11. On a different note lS3 bucket discovery a recent finding of mine. lfor url in $(cat list.txt);do curl $url.s3.amazonaws.com;done l7 google's buckets were open.
  12. 12. lThank you!

×