Sub Domain Enumeration - THM Walkthrough

Subdomain Enumeration Notes

Importance of Subdomain Enumeration

Subdomain enumeration is crucial in cybersecurity as it helps to expand the attack surface, revealing potential points of vulnerability within a domain. By discovering subdomains, security professionals can uncover the hidden applications, services, or areas that might be susceptible to attacks, thereby enhancing the overall security posture of the domain.

Techniques for Subdomain Enumeration

OSINT - SSL/TLS Certificates

Description: SSL/TLS certificates are issued by Certificate Authorities (CAs) and logged in Certificate Transparency (CT) logs. These logs are publicly accessible and can be used to discover subdomains associated with a domain.

Tools:

• crt.sh
• CT Search by Entrust

Example Usage:

• Search for a domain on crt.sh to find subdomains.

Example Command:

Search for "tryhackme.com" on crt.sh and find subdomains from the certificate logs.

Example Output:

• Domain: store.tryhackme.com (Logged on 2020-12-26)

OSINT - Search Engines

Description: Search engines index trillions of links, including subdomains. Using advanced search operators, one can narrow down results to find subdomains.

Tools:

• Google

Example Usage:

• Use the search term -site:www.domain.com site:*.domain.com on Google to find subdomains.

Example Command:

-site:www.tryhackme.com site:*.tryhackme.com

Example Output:

• Subdomain: store.tryhackme.com

DNS Bruteforce

Description: DNS Bruteforce involves trying numerous possible subdomains from a predefined list to discover valid subdomains. This method requires automation due to the high number of requests.&

Tools:

• dnsrecon

Example Usage:

• Use dnsrecon to perform a DNS bruteforce on a target domain.

Example Command:

Run dnsrecon and find subdomains for `acmeitsupport.thm`.

Example Output:

• Subdomain: api.acmeitsupport.thm

OSINT - Sublist3r

Description: Sublist3r automates OSINT subdomain discovery methods, aggregating data from multiple sources to quickly find subdomains.

Tools:

• Sublist3r

Example Usage:

• Run Sublist3r to discover subdomains.

Example Command:

sublist3r -d acmeitsupport.thm

Example Output:

• Subdomain: web55.acmeitsupport.thm

Virtual Hosts

Description: Some subdomains are not publically accessible via DNS but can be found by manipulating the Host header. This method automates the process using a wordlist of common subdomains.

Tools:

• ffuf

Example Usage:

• Use ffuf to discover subdomains by manipulating the Host header.

Example Command:

ffuf -w /usr/share/wordlists/SecLists/Discovery/DNS/namelist.txt -H "Host: FUZZ.acmeitsupport.thm" -u http://10.10.186.57 -fs 2395

Example Output:

• Subdomain 1: delta.acmeitsupport.thm
• Subdomain 2: yellow.acmeitsupport.thm

Example Commands and Tools Summary

• SSL/TLS Certificates:

  • Tool: crt.sh .
  • Command: Search for a domain on crt.sh

• Search Engines:

  • Tool: Google
  • Command: -site:www.domain.com site:*.domain.com

• DNS Bruteforce:

  • Tool: dnsrecon
  • Command: dnsrecon -d domain.com -D /path/to/wordlist

• Sublist3r:

  • Tool: Sublist3r
  • Command: sublist3r -d domain.com

• Virtual Hosts:

  • Tool: ffuf
  • Command: ffuf -w /path/to/wordlist -H "Host: FUZZ.domain.com" -u http://IP_ADDRESS -fs {size}

Importance of Subdomain Enumeration Techniques

Each of these techniques provides a unique approach to discovering subdomains, leveraging different data sources and methods. Combining these techniques ensures a comprehensive enumeration process, increasing the likelihood of finding all potential subdomains and thus securing the domain more effectively.