subdomain enumeration

DNS BRUTE-FORCING

Brute force methods are those which use wordlists and computing power to cycle through large lists of possible information until it finds the correct one. This is simply a case of trial and error done incredibly fast by computers. The better the wordlist, the faster that matches can be found.

A wordlist is a text file with a long list of commonly used words or terms for whatever purposes it was created for. Rainbow Tables, for example, are wordlists of common passwords and their associated hashes that hackers can use to expedite a brute force password cracking tool in a dictionary attack.

For the purposes of DNS discovery, we are more interested in wordlists that contain common subdomain names.

You can check out https://wordlists.assetnote.io/ for downloadable wordlists that update monthly.

Check out the automated discovery section of the content discovery page for more detailed information.

DNS RECON

DNS recon is a python script created by Darkoperator that can do the following things according to its GitHub page:

• Check all NS Records for Zone Transfers.

• Enumerate General DNS Records for a given Domain (MX, SOA, NS, A, AAAA, SPF and TXT).

• Perform common SRV Record Enumeration.

• Top Level Domain (TLD) Expansion.

• Check for Wildcard Resolution.

• Brute Force subdomain and host A and AAAA records given a domain and a wordlist.

• Perform a PTR Record lookup for a given IP Range or CIDR.

• Check a DNS Server Cached records for A, AAAA and CNAME Records provided a list of host records in a text file to check.

VIRTUAL HOSTS

While many subdomains are hosted publically and can be searched in DNS databases, others may not be found here. This is common for development versions of apps or private admin portals. These web applications could be hosted on a private DNS server or in a developer's own machine in their /ect/hosts file or c:\windows\system32\drivers\etc\hosts file for Windows users. This file maps domain names to IP addresses.

This is the basic idea behind virtual hosting.

Virtual hosting is also used to host multiple web apps on a single machine. Virtual hosting consists of a configuration file on a web server that links domains (www.website.com) to directories in the web server's file structure.

It is possible to brute force host headers by making changes to them, and monitoring responses to see if we can find new websites and subdomains hosted on a particular machine. "When having a domain name as scope, operating virtual host (a.k.a. vhost) fuzzing is recommended to possibly find alternate domain names of subdomains that point to a virtual host, and thus have a better knowledge of the attack surface. This technique relies on the attacker using a dictionary/wordlist. A request is made for every line of the wordlist to differentiate pages that exist and pages that don't." -source

The ffuf (fast web fuzzer) tool was covered on the content discovery page under the automated discovery section. That section has more detailed information, but for this page, we'll go over a simple method for discovering virtually hosted subdomains by using the ffuf tool in a Linux terminal.

ffuf -w "/path/to/wordlist.txt" -H "Host: FUZZ.$DOMAIN" -u $URL

This line command first specifies the path (-w) to the wordlist on the local machine that will be used for the fuzzing attempt, next the -H parameter specifies the header values you're sending. it effectively adds/edits the header, in this instance, the host header. The
"FUZZ" before the domain specifies where the fuzzing will happen, in other words, where the words from our wordlist will be added one by one by the program until we find a valid subdomain. Finally, the -u parameter defines the targeted URL/IP address.

Now you may end up with a very big list with lots of false positives and irrelevant results like so: