Doing Subdomain Enumeration the right way

April 30, 2018

Hey guys. Welcome to this new post from ENCIPHERS. For the last few months, we have been continuously writing about different Findings and the approach our team took to find those. But there was one thing, which we wanted to share and that was the very first step itself. Be it bug bounties or Penetration tests, one thing that is commonly important is the subdomain enumeration of the targets.

We think we have talked about one or two subdomain enumeration tools in the post of subdomain takeover. But in this post, we will be discussing a whole lot more while providing you the required resources and how to use these tools accordingly. Not only this, but we will also tell you how our team was able to find a CRITICAL vulnerability during a client’s penetration test. So let’s start.

So what really is Subdomain Enumeration?

This is something which you will simply get to know from a simple Google search in much details. In a simple sense, it is the process of finding valid (resolvable) subdomains for a domain. Now, what does it mean practically?
Suppose you have to do a penetration test for a client, and the target in-scope is *.target.com. Here, the main domain is target.com but due to that “*”, all the subdomains are also in scope. In this case, the subdomains can be blogs.target.com, sales.target.com, cdn.target.com and many more. It becomes all the more important in bug bounties to find as many subdomains as possible to find vulnerabilities in areas where no one else has started testing.

Let’s see the practical side and tools which will help you in Subdomain enumeration:

There are a whole lot of tools present today for subdomain enumeration. Many security researchers maintain their own scripts to find manually valid subdomains so that they don’t need to deal with many false-positives. But if you are starting new, it will be the best to use the most popular tools for this purpose which have got good support from a large number of users. Some of these are:

  • Sublist3r:It is one of the most popular open source subdomain enumeration tools. This is the Github link from where you can see how to install and start using Sublist3r.
    Sublist3r enumerates subdomains using many search engines such as Google, Yahoo, Bing, Baidu, and Ask. Sublist3r also enumerates subdomains using Netcraft, Virustotal, ThreatCrowd, DNSdumpster, and ReverseDNS. So you get a lot of subdomains from a simple scan using Sublist3r. The problem sometimes is that Sublist3r relies mainly on passive data and so it doesn’t validate if the subdomains do exist in reality or not. So after a simple scan, you will need to check one by one for the valid subdomains.
    Example: If Sublist3r has been installed correctly and the target is google.com, then :  
python sublist3r.py -d yahoo.com
  • will give you all the subdomains of Google. See the below screenshot.

Subbrute:Coming back, this was our first and favorite subdomain enumeration tool for a little while earlier. You can download and install Subbrute from here. Moreover, Sublist3r has also been integrated with Subbrute just for the purpose of finding more accurate subdomains using brute force with an improved word list.Example:

python subbrute.py google.com

  • Google Dorks:Now this one is the most famous and the best tool for subdomain enumeration. Actually, it is not a tool, it is just the way of using Google in an advanced way which can unlock many hidden doors. We have already written a post on Google Dorks here. One of the easiest ways to get different valid subdomains is by using a simple technique mentioned in the example.Example:In the search box just type
site:google.com

It will start with www subdomain and then all the subdomains after that. Suppose, the page only contains cloud.google.com with different paths. Now what you will do, is

site:google.com -www -cloud
  • This search query will remove both the www and cloud subdomains of google from the results. The results will get less and less and you can add each unique result to your subdomain list. It is a manual task, but this gives the valid subdomains in all cases, and many times you may find a page or application just open to hacking into. There are many more applicable cases in this. Read the link we provided earlier to get more of it.

There are other tools like Knock and Masscan. Read more and download Knock from here. You can download Masscan from here.
I will be doing a separate writeup or will add them here in the near future after properly using them. Still the abovee 3 will work fine for you.

How Subdomain Enumeration helped our ENCIPHERS team to get a critical bug which could lead to the total hijacking of the application?

If you have read H1 reports for some time, then you must have seen many Subdomain Takeover reports which were found just by doing Subdomain Enumeration and then taking over that subdomain by hosting some simple content there. But in the last penetration test, our team found one of the easiest and most Critical bugs that could be found there. Let’s suppose the application to be tested was xyz.com.

A simple subdomain enumeration scan through Subbrute gave our team member Rahul the following subdomains:

./subbrute.py xyz.com

www.xyz.com
jenkins.xyz.com
blog.xyz.com
staging.xyz.com
mail.xyz.com
dev.xyz.com
api.xyz.com
calendar.xyz.com
gateway.xyz.com
drive.xyz.com
invest.xyz.com

Now it was time to manually validate each subdomain and of course, there were many more subdomains we got but we didn’t add them here. The thing which he did by mistake was to only search for the exact subdomain without testing for the https:// one. What it means is:

When he searched for jenkins.xyz.com, it showed him nothing on the page and he just left it there that this subdomain is invalid or so. But then the other team member Abhinav told me to look for

https://jenkins.xyz.com

and to my utter surprise this page could authorize us to there Jenkins server account and after that, even a newbie hacker will know what to do.:) So this was his personal experience, where he came to know across one fact that always check subdomains for both HTTP and HTTPS and then make sure if they are valid or not.

Important Advice:

One thing you will learn in the white-hat hacking community is that to always abide by the scope of the target and not to test on out of scope items. But from our personal view, always do a complete subdomain enumeration of the target at hand and see if there are any vulnerable to subdomain takeover or if things like Jenkins or important private git files are just in the open for the public. The companies won’t mention it implicitly but you can always send these reports and if it is a bug bounty, then stay ready for being rewarded. But do not manually test on the subdomains if they are not in scope. Just test for subdomain takeovers and private files in open and that’s it.

So this was all for this post. If you already knew about Subdomain enumeration tools and if you have one of your favorite please write about them in the comment section and we will make sure that we update this post to add yours. Meanwhile, if you are not yet aware go read about different tools which we mentioned and play with them and see which one works best for you. Happy hacking till then.:)