2025-02-07
Subdomain enumeration is a critical step in bug hunting and reconnaissance. It helps identify potential attack surfaces and uncover hidden or forgotten digital assets. This guide provides a step-by-step approach to subdomain enumeration using DNS bruteforcing and tools like Subfinder, AlterX, DNSx, PureDNS, and HTTPX. The process is designed to maximize efficiency and accuracy, ensuring you uncover as many subdomains as possible.
Step 1: Subdomain Enumeration Using DNS Bruteforcing
- Subfinder: Begin by running Subfinder to gather initial subdomains.
subfinder -d example.com -o subfinder.txt
This command scans the target domain (
example.com) and outputs the results tosubfinder.txt. AlterX and DNSx: Use AlterX to generate permutations of subdomains and DNSx to resolve them.
cat subfinder.txt | alterx | dnsx -t 1000 | tee brute-subs.txt
This step ensures you capture subdomains that might not be listed in public databases.
3. PureDNS: Resolve the generated subdomains using PureDNS.
puredns resolve brute-subs.txt --threads 250 --resolvers resolvers.txt --resolvers-trusted trusted.txt --rate-limit 1000 | tee final-subs.txt
PureDNS helps filter out invalid subdomains and ensures accurate results.
- Combine and Sort: Merge the results from Subfinder and PureDNS, then sort them for uniqueness.
cat subfinder.txt final-subs.txt | sort -u > all-subs.txt
HTTPX: Identify live subdomains by checking for active HTTP/HTTPS services.
cat all-subs.txt | httpx -o live-subs.txt
This step filters out inactive subdomains, leaving you with a list of live targets.
Step 2: Feeding Subdomains to Acunetix
Once you have the list of live subdomains, you can feed them into Acunetix or any other vulnerability scanner for further analysis. This step helps identify potential vulnerabilities like XSS, SQLi, or misconfigurations.
What Undercode Say
Subdomain enumeration is a foundational skill in cybersecurity, especially for bug hunters and red teamers. By leveraging tools like Subfinder, AlterX, DNSx, PureDNS, and HTTPX, you can efficiently uncover hidden subdomains and expand your attack surface. Below are additional Linux commands and techniques to enhance your reconnaissance process:
- MassDNS: A high-performance DNS stub resolver for bulk lookups.
massdns -r resolvers.txt -t A -o S -w massdns-output.txt all-subs.txt
Amass: A comprehensive tool for in-depth DNS enumeration.
amass enum -d example.com -o amass-output.txt
AssetFinder: Discover domains and subdomains related to a target.
assetfinder --subs-only example.com > assetfinder-output.txt
4. Gobuster: Bruteforce subdomains using a wordlist.
gobuster dns -d example.com -w wordlist.txt -o gobuster-output.txt
- Censys: Use Censys API to discover subdomains and services.
censys search 'parsed.names: example.com' --index-type hosts --fields parsed.names
Shodan: Identify subdomains and services using Shodan CLI.
shodan domain example.com
7. Crt.sh: Query certificate transparency logs for subdomains.
curl -s "https://crt.sh/?q=%25.example.com&output=json" | jq -r '.[].name_value' | sort -u
8. Sublist3r: A fast subdomain enumeration tool.
sublist3r -d example.com -o sublist3r-output.txt
9. DNSRecon: Perform DNS reconnaissance and zone transfers.
dnsrecon -d example.com -t std -j dnsrecon-output.json
10. Httprobe: Check for live HTTP/HTTPS services.
cat all-subs.txt | httprobe -c 50 -t 3000 > live-subs.txt
By combining these tools and techniques, you can build a robust subdomain enumeration workflow. Always ensure you have proper authorization before performing reconnaissance on any target. For further reading, refer to the official documentation of the tools mentioned above:
– Subfinder
– PureDNS
– HTTPX
– Amass
Reconnaissance is an art, and mastering it requires practice, patience, and persistence. Happy hunting!
References:
Hackers Feeds, Undercode AI
