2.1.1.2 Subdomain Enumeration
Last updated
Last updated
Subdomain enumeration is the process of discovering and identifying subdomains associated with a particular domain. This is often done for security testing, reconnaissance, or general website administration purposes. There are several techniques and tools used for subdomain enumeration:
DNS Enumeration: Querying DNS servers to find all associated subdomains of a domain. Tools like nslookup, dig, and host can be used for this purpose.
Brute Force: Generating and testing subdomains by iterating through a list of common subdomain names or generating them based on patterns. Tools like Sublist3r, dnsenum, and Knock automate this process.
Search Engines: Using search engines like Google, Bing, or specialized tools like Dorkbot to search for indexed subdomains.
Certificate Transparency Logs: Monitoring Certificate Transparency Logs to discover subdomains associated with SSL/TLS certificates. Tools like Certspotter and Censys can be used for this.
Web Scraping: Scraping web pages for links and references to subdomains. Tools like Scrapy or custom scripts can be used for this.
APIs: Leveraging APIs provided by services like VirusTotal, SecurityTrails, or Shodan to find subdomains associated with a domain.
Wordlists: Using custom wordlists tailored for a specific domain or organization to discover subdomains that might not be publicly visible.
Sublist3r is a python tool designed to enumerate subdomains of websites using OSINT. It helps penetration testers and bug hunters collect and gather subdomains for the domain they are targeting. Sublist3r enumerates subdomains using many search engines such as Google, Yahoo, Bing, Baidu and Ask. Sublist3r also enumerates subdomains using Netcraft, Virustotal, ThreatCrowd, DNSdumpster and ReverseDNS.
subbrute was integrated with Sublist3r to increase the possibility of finding more subdomains using bruteforce with an improved wordlist.
In alternative we can use others tools such as: Fierce.
