Skip to content

Subdomains

Concept

Subdomain enumeration is one of the crucial steps in computer security to identify the subdomains associated with a main domain.

Subdomains are part of a larger domain and are often configured to point to different network resources, such as web servers, email servers, database systems, content management systems, among others.

Some of the most commonly used passive tools for subdomain enumeration include searching in search engines such as Google, Bing or Yahoo, and searching in public DNS records such as PassiveTotal or Censys. These tools can identify subdomains associated with a domain, although they are not always exhaustive. In addition, there are tools such as CTFR that use SSL/TLS certificate records to find subdomains associated with a domain.

Online sites such as Phonebook.cz and Intelx.io, or tools such as sublist3r, can also be used to search for domain-related information, including subdomains.

On the other hand, active tools for subdomain enumeration include fuzzing tools such as wfuzz or gobuster. These tools send requests to servers using brute force attacks, with the aim of finding valid subdomains under the main domain.

tools

# use seclist discovery DNS subdomain-topmilllon-500 as wordlist

gobuster vhost -u http://test.com -w wordlist -t 20

wfuzz -c -t 20 --hc=403 -w wordlist  -H "Host:FUZZ.TARGET" web direcction  
wfuzz -c # formato color
wfuzz -t 20  # 20 operacion paralelos
wfuzz --hc=403  # ocultar los resultados con codigo de estado 403
wfuzz --sc=200  # mostrar solo los reslutados con codigo de estado 200
wfuzz --hl=80   # ocultar solo las rutas con 80 palabras
wfuzz -w     # ingresar el wordlist
wfuzz -H     # para indicar una cabezara de accion