Listen to this Post
In bug bounty programs, especially those where all internet-facing assets are in scope, discovering new apex domains related to your target is crucial. This technique helps you expand your attack surface and uncover potential vulnerabilities that might otherwise go unnoticed.
You Should Know:
1. Using `amass` for Domain Enumeration:
amass enum -d example.com -config config.ini
This command uses the `amass` tool to enumerate subdomains and apex domains related to example.com. The `-config` flag allows you to specify a configuration file for API keys and other settings.
2. Finding Apex Domains with `sublist3r`:
sublist3r -d example.com -o output.txt
`sublist3r` is a Python tool designed to enumerate subdomains and apex domains. The `-o` flag saves the results to output.txt.
3. Using `dnsdumpster` for Reconnaissance:
dnsdumpster -d example.com
This command queries DNSDumpster, a free domain research tool, to find subdomains and apex domains associated with example.com.
4. Harvesting Domains with `assetfinder`:
assetfinder --subs-only example.com
`assetfinder` is a tool that finds domains and subdomains related to a target. The `–subs-only` flag filters out non-subdomain results.
5. Combining Tools for Comprehensive Recon:
amass enum -d example.com | assetfinder --subs-only example.com | sort -u > domains.txt
This command combines `amass` and `assetfinder` to gather a comprehensive list of domains and subdomains, then sorts and removes duplicates.
6. Verifying Live Domains with `httprobe`:
cat domains.txt | httprobe -c 50
`httprobe` checks which domains are live by sending HTTP requests. The `-c` flag specifies the number of concurrent checks.
7. Using `massdns` for DNS Resolution:
massdns -r resolvers.txt -t A -o S domains.txt > resolved.txt
`massdns` resolves domains to IP addresses using a list of DNS resolvers. The `-r` flag specifies the resolver file, and `-t A` filters for A records.
8. Extracting Apex Domains with `awk`:
cat resolved.txt | awk '{print $1}' | sed 's/.$//' | sort -u > apex_domains.txt
This command extracts apex domains from the resolved list and removes any trailing dots.
What Undercode Say:
Deep reconnaissance is a critical step in bug bounty hunting, especially when dealing with programs that include all internet-facing assets. By leveraging tools like amass, sublist3r, and assetfinder, you can uncover hidden apex domains that may harbor vulnerabilities. Combining these tools with DNS resolution and live domain verification ensures a thorough and efficient recon process. Always remember to respect the scope and rules of the bug bounty program you’re participating in.
For further reading, visit Infosec Writeups to explore more advanced techniques and tools in the field of cybersecurity.
References:
Reported By: Abhirup Konwar – Hackers Feeds
Extra Hub: Undercode MoN
Basic Verification: Pass ✅
