Skip to content

Latest commit

 

History

History
98 lines (73 loc) · 5.85 KB

README.md

File metadata and controls

98 lines (73 loc) · 5.85 KB

Jesus's domains enumeration

Here is my cheat sheet of subdomain enumeration methods, collected on the Internet.

Table of Contents

Subdomain gathering. Passive recon

Subdomain bruteforcing

The key part of any successful bruteforcing is creating good wordlist:

Tools
  • Good Cheat Sheet about tools
  • Amass tool is the best choice for domains enumeration

Whichever tool you choose, it is important to configure it correctly. Every network area (the network from which you will start bruteforce) have the fastest DNS resolvers and here is tool to find them Also you need a list of public DNS servers
Warning: it could be illegal in some countries

Reverse DNS sweeping

Start with main domain here: BGP Toolkit and check every AS with reverse-dns-sweep tool

It could be usefull for big organizations, in common case you will find all mail servers.

Subdomain name alterations

Altdns - Python tool that could generate a lot of mutation of input domains list

Altdns also have dns resolver but it's very slow, so it will be better to generate list with altdns and resolve it with another tool (with massdns)

Amass has mutation module

Certificate search

An SSL/TLS certificate usually contains domain names, sub-domain names and email addresses. The simplest way to collect data from certificates is to connect to crt.sh through web (could be unstable), example

It's possible to connect to postgres database (example). In some cases it could be more stable and faster

External sources

Exists a lot of online sources with APIs that collect subdomains, and so many tools use them. Subfinder one of the best

Interesting APIs:

⏳ Collect SPF records

assets-from-spf

⏳ DNSSEC zone walking

nsec3map

⏳ Check of a given domain for known TLD values

dnsrecon

⏳ Brute-force most common SRV records for a given Domain

dnsrecon

Horizontal domain correlation

One of the helpful ways is to use BGP Toolkit by this way:

  1. Enter the main domain of the company.
  2. Go to the "IP Info" tab and copy the company name.
  3. Find all AS of company (also you can play with companies name).
  4. Try to find new domains in http://ipv4info.com/ or use Amass with AS number.

Domain validation

After subdomains collected it could be helpful to check it's validity. Bash script
Python tool for this: dnsvalidator

Next steps. Active recon

Gathering additional domains from web resources

  • Scan current domains and IPs for web resourses. Bash script
  • Create web urls from nmap XML file: nmap-parse-output
  • Extract new domains from HTML: second-order
  • Extract domain names from Content Security Policy(CSP) headers
  • VHost discovery: vhost-brute

Gathering additional domains from non web resources

  • Zone transfers: host -t axfr domain.name dns-server
  • Collect TXT-record for tokens and other things: Article
  • extract new URLs from APK: Diggy
  • ⏳ BGP
  • ⏳ SNMP

⏳ Monitoring new domains