The complete subdomain Enumeration Guide

The complete subdomain Enumeration Guide
Figure : Subdivision of a domain.
The complete subdomain Enumeration Guide
Some of open source Tools available
Discovering Target Using ASN (IP Blocks)
Brand Discovery Acquisitions
  1. https://www.crunchbase.com/search/acquisitions
    2. Trademark In Google: ” “Facebook Inc © 2020” “Facebook Inc © 2019” “Facebook Inc © 2018” inurl:facebook
    3. Reverse whois. (my favorite)
Brand Discovery Acquisitions
Figure: whois result of facebook.com

Brand Discovery Acquisitions
Brand Discovery Acquisitions

 

Brand Discovery Acquisitions

 

Brand Discovery Acquisitions

 

Subdomain using some more ways
    • RAPID7 SONAR: curl -silent https://scans.io/data/rapid7/sonar.fdns_v2/20170417- fdns.json.gz | pigz -dc | grep “.icann.org” | jq
    • DNSRECON: python dnsrecon.py -n ns1.insecuredns.com -d insecuredns.com -D subdomains-top1mil-5000.txt -t brtALTDNS: python altdns.py -i icann.domains -o data_output -w icann.words -r -s results_output.txt
Subdomain using some more ways
    • DIG:
      dig +multi AXFR @ns1.insecuredns.com insecuredns.com
    • DNSSEC:
      dig +multi +dnssec A paypal.com dig +dnssec @ns1.insecuredns.com firewall.insecuredns.com
    • Zone walking NSEC — LDNS
      root@rohit:~ ldns-walk @name_server domain_name
Subdomain using some more ways
    • ZONE WALKING NSEC DIG: You can list all the sub-domains by following the linked list of NSEC records of existing domains.
    • $ dig +short NSEC api.tesla.com $ dig +short NSEC apm.tesla.com
    • MASSDNS: root@rohit:~./bin/massdns -r resolvers.txt -t AAAA -w results.txt domains.txt
Subdomain using some more ways
Subdomain using some more ways
Subdomain using some more ways
  • SUBLERT : This tool which leverages certificate transparency to automatically monitor new subdomains deployed by specific organizations and issued TLS/SSL certificate
Subdomain using some more ways
    • Wayback Enumeration → waybackurl
      python waybackurls.py — help
    •  ./waybackunifier — help
    • archive.org
Subdomain using JS files
  • Parsing JavaScript : Parsing JS is very useful to find the directories which is used by the target. We can use it instead of brute-forcing subs. • Jsparser Run handler.py and then visit http://localhost:8008 • python linkfinder.py -i https://example.com/1.js -o results.html
Subdomain using Github
About Me
Rohit Gautam