Updates finding_subdomains.md (8185bd6f) · Commits · for microsoft in general / xbox / tunip3 / security

finding_subdomains.md

+21 −30

Original line number	Diff line number	Diff line
		# Finding subdomains
		# Find Subdomains


		Finding subdomains is fundamental. The more subdomains you find, the bigger attack surface you have. Which means bigger possibility of success.
		@@ -6,34 +6,30 @@ Finding subdomains is fundamental. The more subdomains you find, the bigger atta
		For now this seems to be a very comprehensive list of tools to find subdomains.
		https://blog.bugcrowd.com/discovering-subdomains

		This isn't really a science. Some tools find some stuff, other tools other stuff. So your best bet is to use a few of them together. Don't forget to brute-force recursively!
		Some tools find some stuff, other tools other stuff. So your best bet is to use a few of them together. Don't forget to brute-force recursively!


		### recon-ng

		In order to find subdomains we can use the recon-ng framework. It has the same basic structure as metasploit. You can learn more about this tool in the tools-section.

		```
		```bash
		recon-ng
		```

		```
		use use recon/domains-hosts/
		```

		This will give you a vast amount of alternatives.
		# This will give you a vast amount of alternatives.

		```
		show options
		```

		```
		set source cnn.com
		```


		All these subdomains will be saved in hosts, which you can access though: show hosts
		All these subdomains will be saved in `hosts`, which you can access though: `show hosts`

		If some of these subdomains are not given IPs automatically you can just run

		```
		use recon/hosts-hosts/resolve
		run
		@@ -43,44 +39,38 @@ And it will resolve all the hosts in the hosts-file.


		### Google Dorks

		Using google we can also find subdomains.

		This will only give us the subdomains of a site.

		```
		site:msn.com -site:www.msn.com
		```
		`site:msn.com -site:www.msn.com`

		```
		site:*.nextcloud.com
		```
		`site:*.nextcloud.com`

		To exclude a specific subdomain you can do this:
		```
		site:*.nextcloud.com -site:help.nextcloud.com
		```

		`site:*.nextcloud.com -site:help.nextcloud.com`

		### subbrute.py

		The basic command is like this

		```
		./subbrute.py -p cnn.com
		```
		`./subbrute.py -p cnn.com`

		https://github.com/TheRook/subbrute

		### Knock

		I haven't tested this yet.
		https://github.com/guelfoweb/knock



		### Being smart

		You also have to look at what kind of system the target has. Some web-apps give their clients their own subdomains. Like github.

		1. Check out the homepage
		Check out the homepage
		Often companies brag about their clients. You can use this to guess the subdomains of some clients.


		@@ -90,7 +80,7 @@ If you manage to figure out the IP range that the target owns (see section about

		The text-file onlyIps.txt is a textfile with one IP-address on each line.

		```bash
		```
		#!/bin/bash

		while read p; do
		@@ -106,15 +96,19 @@ http://www.cyberciti.biz/faq/how-to-test-or-check-reverse-dns/
		### Online tools

		#### DNSDumpster

		https://dnsdumpster.com/

		#### Pentest-tools

		https://pentest-tools.com/information-gathering/find-subdomains-of-domain

		#### Intodns

		http://www.intodns.com/

		#### DNSStuff

		This tool doesn't enumerate subdomains per se. But it hands of a lot of information about domains.
		http://www.dnsstuff.com/

		@@ -140,8 +134,5 @@ SecList
		https://github.com/danielmiessler/SecLists/tree/master/Discovery/DNS


		References
		## References
		https://en.wikipedia.org/wiki/CNAME_record