Reconnaissance

Active Subdomain Enumeration

Posted by

Active subdomain enumeration is the process of finding subdomains for a target domain through active reconnaissance methods, such as sending HTTP requests and analyzing the responses. Some techniques for active subdomain enumeration include:

  1. Subdomain Brute-force: A tool that tries a large number of subdomains with common names and patterns, such as “www,” “mail,” “ftp,” etc.
  2. Google Dorks: Using advanced search operators on Google to search for subdomains related to the target domain.
  3. Certificate Transparency logs: Certificate Transparency logs can reveal a large number of subdomains for a target domain, as they show all SSL certificates issued for a domain, including subdomains.
  4. Scanning DNS records: Scanning the target domain’s DNS records using tools such as nslookup, dig, and whois can reveal subdomains.
  5. Web archive: Using web archives, such as the Wayback Machine, can reveal subdomains that were previously active but are no longer in use.

It’s important to note that while these techniques can be useful in uncovering subdomains, the information they provide may not be up-to-date or complete, and additional reconnaissance may be necessary to determine the current state of a target subdomain.

Famous Tools for Active Subdomain Enumeration

Here are some popular tools for active subdomain enumeration:

  1. Sublist3r: A Python-based tool that uses various search engines to gather subdomains and then uses the DNS brute-forcing technique.
  2. Amass: A Go-based tool that performs active reconnaissance by sending various types of requests to the target domain, as well as using passive reconnaissance methods such as searching certificate transparency logs.
  3. Knockpy: A Python-based tool that uses a wordlist to perform a brute-force attack on the target domain and then resolves the IP addresses to identify subdomains.
  4. Massdns: A high-performance DNS resolver that can be used to resolve subdomains in bulk and quickly.
  5. Fierce: A Perl-based tool that uses active reconnaissance techniques to identify subdomains, as well as perform DNS zone transfers to enumerate subdomains.
  6. SubFinder: A Go-based tool that uses various techniques, including passive reconnaissance and brute-forcing, to identify subdomains for a target domain.

These are just a few examples of the many tools available for active subdomain enumeration. It’s important to note that while these tools can be useful, it’s also important to perform manual reconnaissance to validate the results and ensure that all subdomains have been identified.

how to find interesting subdomains from a lot of subdomains list

Finding interesting subdomains from a large list of subdomains can be challenging, but there are several techniques that can be used:

  1. Filter by relevance: Use tools such as grep or regex to search for subdomains that contain keywords related to the target domain, such as specific product names or departments.
  2. Check response codes: Use tools such as curl or wget to send HTTP requests to each subdomain and check the response codes. Subdomains that return a 200 OK response may be more interesting than those that return a 404 Not Found or a 403 Forbidden response.
  3. Look for open ports: Use tools such as nmap or masscan to scan each subdomain for open ports. Subdomains with open ports may be running services that could be vulnerable to attack.
  4. Check for vulnerabilities: Use tools such as Nessus or OpenVAS to scan each subdomain for known vulnerabilities. Subdomains that are vulnerable to known exploits may be more interesting than those that are not.
  5. Analyze content: Manually inspect the content of each subdomain to determine if it contains sensitive information, such as credentials or confidential documents.

These are just a few examples of the many techniques that can be used to find interesting subdomains from a large list. It’s important to use a combination of these techniques, as well as manual analysis, to ensure that all potentially interesting subdomains have been identified.

How to Reverse Whoislookup

Reverse Whois lookup is a method of using information about a registrant, such as their name or email address, to find other domains that are registered to them. This can be useful for identifying additional domains that may be related to a target domain or for investigating a particular individual or organization.

Here are the steps for performing a reverse Whois lookup:

  1. Choose a reverse Whois lookup service: There are several online services that offer reverse Whois lookup, such as WhoisXML API, DomainTools, and Reverse Whois Lookup.
  2. Input the search criteria: Most reverse Whois lookup services allow you to search by registrant name, email address, organization name, and/or phone number.
  3. Run the search: The reverse Whois lookup service will use the search criteria to search through a database of Whois records and return a list of domains registered to the specified registrant.
  4. Review the results: The results of the reverse Whois lookup will include information about each domain, such as its creation and expiration dates, registrar, and DNS servers.

It’s important to note that the accuracy of reverse Whois lookup results may vary depending on the completeness and accuracy of the Whois records, and some domains may not be included in the search results if their Whois information is hidden or protected by privacy services.

How to find open ports and services

Finding open ports and services on a target system can provide valuable information for security testing and vulnerability assessment. Here are the steps for finding open ports and services:

  1. Choose a port scanning tool: There are several tools available for performing port scans, including nmap, masscan, and angry IP scanner.
  2. Determine the target system: Identify the target IP address or hostname to be scanned.
  3. Choose the type of scan: Port scanning tools typically offer several types of scans, including TCP connect, TCP SYN, TCP FIN, UDP, and others. Choose the type of scan that is appropriate for the target system and your goals.
  4. Define the port range: Specify the range of ports to be scanned, or use a default range that covers well-known ports.
  5. Run the scan: Execute the port scan and wait for the results. The scan will identify open ports on the target system, and may also provide information about the services running on those ports.
  6. Analyze the results: Review the results of the port scan to determine which ports and services are open on the target system, and evaluate their security implications.

It’s important to note that some organizations may have security measures in place that detect or block port scans, so it may be necessary to use techniques such as rate limiting or randomized scanning to avoid detection. Additionally, it’s important to only perform port scans on systems that you have permission to scan and to respect the privacy and security of others.

Leave a comment

This site uses Akismet to reduce spam. Learn how your comment data is processed.