SMK Muhammadiyah 2 Palembang
  • Introducation
  • The Basics
    • Basics of linux
    • Bash-scripting
    • Vim - Text Editor
    • Nano - Text Editor
  • Windows
    • Basics of windows
    • PowerShell
    • CMD - Windows commands
  • Scripting With Python
    • Python fundamentals
      • Useful Scripts
    • Transferring Files
      • Transferring Files on Linux
      • Transferring Files to Windows
    • Firewalls
  • Recon and Information Gathering Phase
    • Passive information gathering
    • Identify IP-addresses and Subdomains
      • Dorking Find Subdomains
      • Find Subdomains
      • DNS Basics
      • DNS Zone Transfer Attack
      • Identifying People
      • Search Engine Discovery
      • Active information gathering
      • Port Scanning
  • Vulnerability analysis
    • Server-side Vulnerabilities
      • Port knocking
    • HTTP - Web Vulnerabilities
      • Web-services
      • Common web-services
        • WAF - Web application firewall
          • WAF - Web application firewall
          • Attacking the System
          • Local File Inclusion (LFI)
          • Remote File Inclusion
          • Find hidden files and directories
          • SQL-injections
          • Nosql-injections
          • XML External Entity Attack
          • Bypass File Upload Filtering
          • Exposed Version Control
          • Failure to Restrict URL Access
    • Attacking the user
      • Clickjacking
      • Broken Authentication or Session Management
      • Text/content-injection
      • Subdomain Takeover
      • Cross Site Request Forgery
      • Cross-site-scripting
        • Examples
      • Browser vulnerabilities
      • Java applet
      • Automated Vulnerability Scanners
    • Exploiting
      • Social Engineering - Phishing
      • Default Layout of Apache on Different Versions
      • Shell
      • Webshell
      • Generate shellcode
      • Editing exploits
      • Compiling windows exploits
    • Post Exploitation
      • Spawning shells
      • Meterpreter shell for post-exploitation
      • Privilege Escalation
      • Privilege Escalation Windows
      • Escaping Restricted Shell
      • Bypassing antivirus
      • Loot and Enumerate
        • Loot Windows
        • Loot Linux
      • Persistence - Rootkit - Backdoor
      • Cover your tracks
  • Password Cracking
    • Generate custom wordlist
    • Offline password cracking
    • Online password cracking
    • Pass the hash - reusing hashes
  • Pivoting - Port forwarding - Tunneling
    • Pivoting
  • Network traffic
    • Arp-spoofing - Sniffing traffic
      • SSL-strip
    • DNS-spoofing
    • Wireshark
  • Wifi
    • WPS
    • WEP
  • Physical access to machine
  • Literature
Powered by GitBook
On this page
  • Bypassing CloudFlare
  • References
  1. Recon and Information Gathering Phase
  2. Identify IP-addresses and Subdomains

Dorking Find Subdomains

Finding subdomains is fundamental. The more subdomains you find, the bigger attack surface you have. Which means bigger possibility of success.

For now this seems to be a very comprehensive list of tools to find subdomains. https://blog.bugcrowd.com/discovering-subdomains

Some tools find some stuff, other tools other stuff. So your best bet is to use a few of them together. Don't forget to brute-force recursively!

recon-ng

In order to find subdomains we can use the recon-ng framework. It has the same basic structure as metasploit. You can learn more about this tool in the tools-section.

recon-ng

use use recon/domains-hosts/

# This will give you a vast amount of alternatives.

show options

set source cnn.com

All these subdomains will be saved in hosts, which you can access though: show hosts

If some of these subdomains are not given IPs automatically you can just run

use recon/hosts-hosts/resolve
run

And it will resolve all the hosts in the hosts-file.

Google Dorks

Using google we can also find subdomains.

This will only give us the subdomains of a site.

site:msn.com -site:www.msn.com

site:*.nextcloud.com

To exclude a specific subdomain you can do this:

site:*.nextcloud.com -site:help.nextcloud.com

subbrute.py

The basic command is like this

./subbrute.py -p cnn.com

https://github.com/TheRook/subbrute

Knock

I haven't tested this yet. https://github.com/guelfoweb/knock

Being smart

You also have to look at what kind of system the target has. Some web-apps give their clients their own subdomains. Like github.

Check out the homepage Often companies brag about their clients. You can use this to guess the subdomains of some clients.

Reverse DNS-lookup

If you manage to figure out the IP range that the target owns (see section about nmap below). You can see which machines are online. And then you can run a script to find out the domain-addresses of those machines. That way you might find something new.

The text-file onlyIps.txt is a textfile with one IP-address on each line.

#!/bin/bash

while read p; do
  echo $p;
  host  $p
done <onlyIps.txt

Here are some more tools that can do reverse lookup http://www.cyberciti.biz/faq/how-to-test-or-check-reverse-dns/

Online tools

DNSDumpster

https://dnsdumpster.com/

Pentest-tools

https://pentest-tools.com/information-gathering/find-subdomains-of-domain

Intodns

http://www.intodns.com/

DNSStuff

This tool doesn't enumerate subdomains per se. But it hands of a lot of information about domains. http://www.dnsstuff.com/

Bypassing CloudFlare

https://www.ericzhang.me/resolve-cloudflare-ip-leakage/

This tool can be used to find old IPs. It could mean that the http://toolbar.netcraft.com/site_report?url=lyst.com

Brute force dictionaries

If you try to brute force the domains it is a good idea to have a good dictionary. That can be found here:

Bitquark https://github.com/bitquark/dnspop

SecList https://github.com/danielmiessler/SecLists/tree/master/Discovery/DNS

References

https://en.wikipedia.org/wiki/CNAME_record

PreviousIdentify IP-addresses and SubdomainsNextFind Subdomains

Last updated 2 years ago