Subdomain enumeration is a crucial phase in cybersecurity, particularly during reconnaissance and vulnerability assessment processes.

1. SUBDOMAIN ENUMERATION
By,
MITHRAN

2. GETTING SUBDOMAINS FROM “https://bgp.he.net/”
The website can take:
 name of the company
 domain name
We can get following information from the site:
 ASN of the company
 The range of IP address that the company owns
 list of subdomains of the company
 nameservers of the company
 whois information
We have extracted these information from the site, out of which two nameservers are
important. Also, we can scan these IPs in the next step of pentesting to see which
ports are open.

3. Note: This website does not provide information about domains/subdomains that are
hosted in cloud platforms like amazon, etc. Since, out target is hosted in amazon, we
could not get much information about subdomains. Nevertheless, this is a good
starting points to gather information about a target.
GETTING SUBDOMAINS USING THE WEBSITE
“https://crt.sh”
The website can take:
 name of the company. Ex. “tsp”
 root domain of the company. Ex. “tsp.gov”
 Certificate fingerprint of the company, amongst others
In return, the site provides us with the following:
 various other root domains associated with the company
 subdomains of the company
The website returns the following information amongst many others, all of which
cannot be shown in the screenshot

4. As a pentester, we will need to gather these information in a text file. Here are the
steps to do all these in the command line.
The json file is of the json format:
jq is a json parser that is used to deal with json files. Above is the screenshot of first
element present in json array. We will need to parse this file and extract all the
subdomains of “tsp.gov” from it to a new file. I have created this basic command for
this purpose.
The above command parses the json_file.txt using the jq command. It extract all the
common_name from the array(here. common_name represent subdomain). From the
array of extracted subdomains, the grep command will search for all unique
subdomains of the target root domain (“.tst.gov”), and extract them to the
“final_subdomain” file.
This site has given us a total of “49” subdomains in a text file.

5. VIRUSTOTAL (https://www.virustotal.com/gui/)
Type in the domain name in the search bar in the search section
The subdomain are listed in the “RELATION” section
There is a copy bar at the right side as shown in the above image.Copy and paste it in
a file for further processing.

6. We can use the api provided by virustotal to get all the subdomains using command
line as shown. However, this will only give the sub-domain for the target domain, and
will not provide recursive subdomains. Try and come up with a solution of this to
automate the process.
Add the -o output.txt to save the information
Log into the site, and copy the api key provided in the key section into the avove
command. Also, replace the “{domain}” with the target domain.
Output of subdomains from the GUI of virustotal:
Virus total has given a total of 39 subdomains.

7. DNSDUMPSTER(https://dnsdumpster.com/)
The first thing to look at here is that it gives the information of IP owners in
histogram format.
Total number of subdomain found in this site is 5 as shown below:

8. SECURITYTRAILS (https://securitytrails.com/)
You will need to log into this site using your work email to gain access to all the
subdomains.
Subdomains can be seen here

9. Using api to gather subdomains
children_only=false means that even subdomain of subdomain will be returned.
include_inactive=true means that even those domains that has no dns information will
be returned.
This will give us an output in the form of json. Our goal is to create a file with only
subdomain names. The command below will help us do that.
jq will extract the subdomains from the json file. Here, subdomains are returned
without the domain part. Therefore, we use awk to add the remainder to the
subdomains and output the final_output file.
The final output file is of the following format:
Total number of subdomains found using this site:

10. SUBDOMAIN FINDER
(https://subdomainfinder.c99.nl/)
This site can be very useful as it provides a list of all the scans be dates. As a pentester,
we can make use of this facility to find the list of subdomain from earlier and can use
this step for domain takeover.
It can do may other interesting things as shown in the link https://api.c99.nl/
The GUI shows all the subdomains, but subdomains without IP cannot be copied from
the site.
We need to manually copy all the subdomain into a file. The site offers paid API.
Now, we need to convert this into a file containing only the domain names.

11. The final output is in the format given below:
Total number of subdomains gathered from this site are 65:
URLSCAN (https://urlscan.io/)
This site is mostly useful for gathering various other informations about the domain. It
also gives subdomains.

12. TURBOLISTER
This tool is the fork of “SUBLIST3R” which is used to find domain using both
scrapping techinique and bruteforce technique. We will use the scrapping technique to
find the subdomains which is run by default. This is an extension which provides
various other functionality to deal with the output.
Search Engine and Sites used by Sublist3r/Turbolist3r
 BaiduEnum
 YahooEnum
 GoogleEnum
 BingEnum
 AskEnum
 NetcraftEnum
 DNSdumpster
 Virustotal
 ThreatCrowd
 CrtSearch
 PassiveDNS
How does Sublist3r/Turbolist3r scrap for subdomains ?
 SEARCH ENGINE MODULE
This module automatically searches from a domain in the given search engine upto “n”
pages. From each page, it extracts unique urls, and processes it to find subdomains.
 SITE MODULE
This module extracts the subdomains as provided by the given site.
The tool can be downloaded from this github repository.

13. The tool requires three dependencies to run:
1) dnslib
2) requests
3) argparse
The three dependencies can be downloaded as shown in the screenshots below:
Running the tool:

14. The output of the tool is as shown:
Total number of subdomain given by this tool:
Note: There are better tools available in the market with better source of finding
domains. Do not use this tool.
ASSETFINDER
We will be using tomnomnom’s assetfinder which can be downloaded from the link
https://github.com/tomnomnom/assetfinder
What modules does the tool use?
 Virustotal
 urlscan.io
 crtsh
 certpotter (https://sslmate.com/certspotter/)
 bufferoverrun (https://dns.bufferover.run/dns) (not found on web)
 facebook api (https://graph.facebook.com/certificates?fields=domains)
 spyse (using both subdomain and subdomain endpoints)
 hackertarget (https://hackertarget.com/)
 threatcrowd
 web archeve (also called waybackmachine)
(https://archive.org/help/wayback_api.php)


15. INSTALLING THE TOOL
Running the tool:
Result given by the tool:
Total number of subdomains found:

16. AMASS
TYPES OF FUNCTIONALITY PROVIDED MY AMASS
 INTEL (for finding root domain and other high level information)
 ENUM (for finding subdomains)
1. DEFAULT (passive mode and active mode)
2. BRUTE
We can checkout all the api’s, certificates, etc using the command “amass enum -list”
There are various modules used in amass:
SETTING UP THE CONFIG FILE IN AMASS
Installing from the commandline
The binary shoud be present in $GOPATH/bin

17. Copy the content of config.ini file from
https://github.com/0xdekster/deksterecon/blob/master/amass-config.ini to the above
created file.
You will first have to create an API key for the third-party sites. Once the key is
created, open the config file and paste the api key to the respective site.

18. BRUTE FORCING THE SUBDOMAIN
TOOL:MASSDNS
tool: dnsvalidator (https://github.com/vortexau/dnsvalidator)
use dns validator to find dns resolvers before using bruteforce

19. REFERENCES
https://www.dionach.com/blog/how-to-use-owasp-amass-an-extensive-tutorial/
https://crt.sh/?q=tsp.gov
https://stackoverflow.com/questions/13778273/find-unique-lines
https://rashahacks.com/enumerate-root-domain-names/
https://www.youtube.com/watch?v=m9dhrq9iRHA&list=LL&index=1&t=356s
https://www.virustotal.com/gui/home/upload
https://dnsdumpster.com/
https://securitytrails.com/
https://docs.securitytrails.com/reference/domain-subdomains
https://subdomainfinder.c99.nl/
https://api.c99.nl/
https://urlscan.io/
https://hub.steampipe.io/plugins/turbot/urlscan/tables/urlscan_searchhttps://github.com/fleetcaptain/Tur
bolist3r/blob/master/turbolist3r.py#L737
https://github.com/aboul3la/Sublist3r/blob/master/sublist3r.py#L273
https://github.com/tomnomnom/assetfinder
https://www.geeksforgeeks.org/assetfinder-find-domains-and-subdomains-related-to-a-given-domain/
https://twitter.com/ofjaaah/status/1299017775545974785?lang=enhttps://graph.facebook.com/certificat
es?fields=domains
https://spyse-dev.readme.io/reference/quick-start
https://pentestlab.blog/2020/06/15/spyse-a-cyber-security-search-engine/
https://hackertarget.com/
https://www.threatcrowd.org/
https://archive.org/help/wayback_api.php
https://blog.intigriti.com/2021/06/08/hacker-tools-amass-hunting-for-subdomains/
https://www.youtube.com/watch?v=DbjVL-bqfl4
https://github.com/ykankaya/Amass-1/blob/master/examples/config.ini
https://hackerassociate.medium.com/amass-new-config-file-update-e95d09b6eb70
https://github.com/owasp-amass/amass/blob/master/examples/datasources.yaml
https://github.com/owasp-amass/amass