🕵️
HowToHunt
  • HowToHunt.md
  • API Testing
    • Hidden API Functionality Exposure
    • Reverse Engineer an API
  • Account Takeover Methodology
    • Account Takeover Methodology
  • Application Level DoS
    • Application Level DoS Methods
  • Authentication Bypass
    • 2FA Bypasses
    • OTP Bypass
    • Account Ban Bypass
  • Broken-Link Hijacking
    • Broken-Link Hijacking
  • Broken Auth And Session Management
    • Session Based Bugs
  • CMS
    • AEM
    • Drupal
    • Wordpress
    • Moodle
  • CORS
    • CORS
    • CORS Bypasses
  • CSRF
    • CSRF
    • CSRF MindMap
    • CSRF Bypass
  • Finding CVEs
    • CVES
  • CheckList
    • Web Application Pentesting Checklist
    • Web Checklist by Chintan Gurjar.pdf
    • Web Checklist by Tushra Verma.pdf
    • Mindmap by Rohit Gautam
    • Mindmap by Cristian Cornea
  • Web Page Source Code Review
    • Web Page Code Review Tips
  • EXIF Geo Data Not Stripped
    • EXIF Geo Data Not Stripped
  • File Upload Bypass
    • File Upload Bypass
  • Find Origin IP
    • Find Origin
  • GraphQL
    • GraphQL
  • HTTP Desync Attack
    • HTTP_Desync
  • Host-Header Attack
    • Host-Header
  • HTML-Injection
    • HTML-Injection
  • IDOR
    • IDOR
  • JWT ATTACK
    • JWT
  • JIRA ATTACK
    • JIRA
  • MFA Bypass
    • MFA Bypasses
    • 2FA-Bypass
  • Misconfigurations
    • Default Credential And Admin Panel
    • Docker
    • S3 Bucket
  • OAuth
    • OAuth
    • OAuth Hunting
  • Open Redirection
    • Find OpenRedirect Trick
    • Open Redirection Bypass
  • Parameter Pollution
    • Parameter Pollution In Social Sharing Buttons
  • Password Reset Functionality
    • MindMap
    • Password Reset Token Leakage
    • Account_Takeover_By_Password_Reset_Functionality
    • Password_Reset_Flaws
  • Rate Limit
    • Rate Limit Flaws
    • Rate-Limit Bypass
    • No Rate-Limit on Verify-PhoneNo
    • No Rate-limit on Invite User
    • No Rate-limit on Promo
    • No Rate-limit on Verify-email
    • No Rate-limit on forget-password
  • Race Condition
    • Race Condition
  • Recon
    • Github
    • Recon Workflow
    • Subdomain Enumeration
  • SQLi
    • SQL Injection.md
  • SAML
    • SAML
  • SSRF
    • SSRF
    • Blind SSRF
  • SSTI
    • SSTI
  • Sign Up Functionality
    • Sign Up Bugs
    • Sign Up MindMap
  • Sensitive Info Leaks
    • Github Recon Method
    • Github-Dorks
    • Github Dorks All
    • Google Dorks
    • Shodan CVE Dorks
    • Version Leaks
  • Status Code Bypass
    • Status_Code_Bypass Tips
    • 403 Bypass
  • Subdomain Takeover
    • Subdomain Takeover - Detail Method
    • Subdomain Takeover - Easy Method
    • Subs or Top level Domain
  • Tabnabbing
    • Tabnabbing
  • WAF Bypasses
    • WAF Bypass Using Headers
  • Weak Password Policy
    • Weak Password Policy
  • XSS
    • XSS
    • Bypass CSP
    • XSS Bypass
    • Automated XSS
    • Post Message Xss
  • XXE
    • XXE Methods
    • Billion Laugh Attack
Powered by GitBook
On this page
  • Subdomain Enumeration
  • General Methodology
  • Passive
  • Active
  • Permutation
  • Portscan
  • Reference & Resources
  • Framework
  • Author
  1. Recon

Subdomain Enumeration

Subdomain Enumeration

Well, subdomain enumeration is important when you are hunting on wildcard enable scope programs. If you are able to get unique subdomains that other miss then it's a good chance for you to get some bugs

General Methodology

  • Passive

  • Active

  • Permutation

Passive

In this stage you have to use as much resources as you can to passivly gather subdomains Now a days it's not that much hard to do with community standard tools that usages API keys

Tools

  • Subfinder

  • Amass

  • Assetfinder

  • Findomain

Active

In this stage you have to perform bruteforcing on your target host to see if the word from your wordlist resolve as valid subdomain or not

Tools

  • ShuffleDNS

  • Aiodnsbrute

Permutation

In this stage you have to play around the subdomains. Now do changed with the words and see still it resolve as valid or not

Portscan

Convert domains into ip address

while read l; do ip=$(dig +short $l|grep -oE "\b([0-9]{1,3}\.){3}[0-9]{1,3}\b"|head -1);echo "[+] '$l' => $ip";echo $ip >> ips.txt;done < domains.txt

we will use masscan for faster results

masscan -p1-65535 -iL ips.txt --max-rate 1800 -oG output.log

Tools

  • AltDNS

  • DNSGen + ShuffleDNS

Reference & Resources

https://pentester.land/cheatsheets/2018/11/14/subdomains-enumeration-cheatsheet.html

https://0xpatrik.com/subdomain-enumeration-2019/

https://0xpatrik.com/subdomain-enumeration-smarter/

https://rootsploit.com/bug-bounty-recon-faster-port-scan/

Theres a lot you can do. For now just mentioning communty standard approaches. Will be updating it regularly depending on the methodology comes out.

Framework

An automated framework can be used to automate those whole workflow

Author

PreviousRecon WorkflowNextSQL Injection.md

Last updated 3 years ago

or you can use , .

Naabu
RustScan
SEF
Mehedi Hasan Remon
Rishi Choudhary