Sub-Domains

Introduction

The subdomains are extensions of the main domain, often created to organise and separate different sections or functionalities of a website. For instance, a company might use blog.example.com for its blog, shop.example.com for its online store, or mail.example.com for its email services.

Sub-domain Enumeration

Subdomain enumeration is the process of systematically identifying and listing these subdomains.

Acitive Sub-domain Enumeraion

This involves directly interacting with the target domain's DNS servers to uncover subdomains. A common technique for this is using tools like dnsenum, ffuf, and gobuster for automating the enumeration with the help of wordlist.

Passive Sub-domain Enumeration

This relies on external sources of information to discover subdomains without directly querying the target's DNS servers. Some of its relevant resources are:

• Certificate Transparency (CT) logs and public repositories of SSL/TLS certificates (often include a list of associated subdomains in their Subject Alternative Name (SAN) field )

• Utilizing search engines like Google or DuckDuckGo with specialized seach operators like site:

• Also, some online databases and tools can be used to aggregate the data related to sub-domains

Sub-domain Bruteforcing

Subdomain bruteforcing is a powerful active subdomain discovery technique that leverages pre-defined lists of potential subdomain names.

The process breaks down into four steps:

• Wordlist selection

• Iteration and querying (iterates through the wordlist for creating sub-domain names)

• DNS lookup (check if the created sub-domain names resolves to an IP address)

• Filtering and validation (after resolution, the valid sub-domains are added to a list)

Sub-domain Enumeration Tools