reconnaissance

Methods of enumerating subdomains passively

Posted by

Screenshot 2023-02-02 at 9.48.01 PM

Passive subdomain enumeration is a technique for identifying subdomains of a target domain without actively sending any requests to the target domain’s servers. Instead, the technique relies on publicly available information, such as search engine results, DNS records, or publicly available datasets, to identify subdomains.

Passive subdomain enumeration is useful for security assessments, as it allows security researchers to identify potential attack vectors or target areas for further testing without attracting attention or generating traffic on the target domain’s servers. It can also be used to gather information about a domain’s infrastructure and identify subdomains that may be of interest for further analysis.

Passive subdomain enumeration is a key component of reconnaissance in a penetration testing or bug bounty program, and it can be used in combination with other techniques, such as active subdomain enumeration, to gather a complete picture of a target domain’s infrastructure.

Active And Passive Subdomain Enumeration

Active subdomain enumeration involves actively connecting to and attempting to retrieve information from subdomains. This can be done through techniques such as brute-force attacks, DNS zone transfers, and analyzing webserver responses.

Passive subdomain enumeration, on the other hand, involves gathering information about subdomains without actively connecting to them. This can be done through analysis of DNS records, SSL certificates, and other publicly available information. Passive subdomain enumeration is often used for reconnaissance and information gathering in ethical hacking and penetration testing.

Passive subdomain enumeration technique

Passive subdomain enumeration techniques include:

  1. DNS record analysis: Analyzing publicly available DNS records to identify subdomains, such as MX records, NS records, and A records.
  2. Certificate transparency logs: Analyzing SSL certificate transparency logs to identify subdomains that have been issued SSL certificates.
  3. Search engine reconnaissance: Using search engines like Google, Bing, and Yahoo to search for subdomains by using specific search operators.
  4. Web archive analysis: Analyzing web archives like Wayback Machine to identify subdomains that have been present in the past.
  5. Code repository analysis: Analyzing code repositories like GitHub to identify subdomains mentioned in code or configuration files.
  6. Social media reconnaissance: Analyzing social media platforms like LinkedIn and Twitter to identify subdomains mentioned in posts or profiles.
  7. Maltego reconnaissance: Using tools like Maltego to perform passive reconnaissance and visualize relationships between subdomains, IP addresses, and other assets.

Tools for Passive subdomain enumeration

Here are some popular tools for passive subdomain enumeration:

  1. Sublist3r: An open-source tool that uses various sources to enumerate subdomains.
  2. Amass: An open-source tool that combines various techniques to gather subdomains, including searching certificate transparency logs and analyzing DNS records.
  3. SubFinder: An open-source tool that uses various sources to enumerate subdomains, including certificate transparency logs and API services.
  4. Assetfinder: A fast and efficient tool that uses various sources to gather subdomains, including certificate transparency logs and API services.
  5. Findomain: A fast and simple tool that uses various sources to enumerate subdomains, including certificate transparency logs and DNS servers.
  6. Recon-ng: A powerful reconnaissance tool that can be used for passive subdomain enumeration, as well as other types of reconnaissance.
  7. Filterbypass: An online service that allows you to search for subdomains using various sources, including certificate transparency logs and API services.

Passive subdomain enumeration using Certificate Transparency

Certificate Transparency (CT) is a technology that provides a public log of SSL certificates issued by certificate authorities. This can be used for passive subdomain enumeration, as the log will contain information about subdomains that have been issued SSL certificates.

To use Certificate Transparency for passive subdomain enumeration, you can search the CT log for SSL certificates that match the target domain or a specific subdomain pattern. You can then extract the subdomains from the SSL certificates found in the log.

There are several tools available that can automate this process, such as Certstream, Crt.sh, and CT-Exposer. Some of these tools allow you to search the log in real-time, so you can monitor new SSL certificates as they are issued.

Note that while CT logs can be a valuable source of information for passive subdomain enumeration, they may not contain information about all subdomains, as not all subdomains may have SSL certificates issued for them.

Passive subdomain enumeration using Subject alternate name (SAN)

Subject Alternate Name (SAN) is a field in SSL certificates that can be used to specify additional hostnames or subdomains that are covered by the certificate. By analyzing SSL certificates that include SANs, it is possible to identify subdomains that are associated with a particular domain.

To use SANs for passive subdomain enumeration, you can extract SSL certificates for the target domain and its subdomains, and then examine the SAN field to see if any additional subdomains are specified.

There are several tools available that can automate this process, such as SSLScan, OpenSSL, and SSLYze. Some of these tools allow you to scan multiple subdomains and extract the SSL certificates for each one.

Note that not all subdomains will have SSL certificates issued for them, and not all SSL certificates will include SANs. So, while using SANs for passive subdomain enumeration can be a useful technique, it may not provide a comprehensive list of all subdomains for a given domain.

Passive subdomain enumeration using ASN Discovery

Autonomous System Number (ASN) discovery is a technique for passive subdomain enumeration that involves identifying the ASN assigned to a particular domain or IP address, and then using that information to find other domains or IP addresses that are hosted by the same ASN.

The ASN is a unique identifier assigned by a regional internet registry to a network operator, and it is used to identify the origin of IP addresses and routing information. By identifying the ASN associated with a particular domain or IP address, it is possible to find other domains or IP addresses that are hosted by the same network operator and that may be associated with the target domain.

To use ASN discovery for passive subdomain enumeration, you can use a tool like Whois to look up the ASN associated with the target domain or IP address, and then use a tool like BGPView or Censys to search for other domains or IP addresses that are associated with the same ASN.

Note that while ASN discovery can be a useful technique for passive subdomain enumeration, it may not always provide a complete list of subdomains for a particular domain, as some subdomains may be hosted by different network operators.

Passive subdomain enumeration using DNS aggregator

DNS aggregators are services that collect and maintain information about domain names and their associated IP addresses. By analyzing data from these services, it is possible to identify subdomains associated with a particular domain.

To use DNS aggregators for passive subdomain enumeration, you can query the aggregator for the target domain and examine the results to see if any subdomains are listed. Some DNS aggregators also provide APIs that allow you to automate the process of querying the service and extracting the data.

There are several popular DNS aggregators that can be used for passive subdomain enumeration, including VirusTotal, DNSdumpster, and Robtex. Some of these services allow you to search for subdomains based on specific patterns, or to see the historical DNS records for a particular domain.

Note that while DNS aggregators can be a useful source of information for passive subdomain enumeration, the information may not always be up-to-date, and some subdomains may not be listed in the aggregator’s database.

Passive subdomain enumeration using Search Engines

Search engines can be used for passive subdomain enumeration by searching for information about a particular domain and its subdomains that have been indexed by the search engine.

To use search engines for passive subdomain enumeration, you can perform a search for the target domain and specific subdomain patterns, and then examine the results to see if any subdomains are listed. You can also use advanced search operators and site-specific search functionality to narrow down the results and find subdomains that have been indexed by the search engine.

Some popular search engines that can be used for passive subdomain enumeration include Google, Bing, and DuckDuckGo. Some search engines also provide APIs that allow you to automate the process of searching for subdomains.

Note that while search engines can be a useful source of information for passive subdomain enumeration, the information may not always be up-to-date, and some subdomains may not be listed in the search engine’s index. Additionally, some subdomains may be restricted by robots.txt or other means, so they will not be indexed by the search engine.

Passive subdomain enumeration using DNS Enum using Cloudflare

DNS Enum is a technique for passive subdomain enumeration that involves querying the DNS records of a domain to identify its subdomains. Cloudflare is a popular content delivery network (CDN) and DNS provider, and it can be used as part of this technique.

To use DNS Enum with Cloudflare for passive subdomain enumeration, you can query the Cloudflare-hosted DNS records for the target domain and examine the results to see if any subdomains are listed. You can use tools like dig, nslookup, or host to query the DNS records, and you can also use online tools like CentralOps or SecurityTrails to automate the process.

Note that while using DNS Enum with Cloudflare can be a useful technique for passive subdomain enumeration, not all subdomains will be listed in the DNS records, and some subdomains may be protected by Cloudflare’s security features, making them harder to enumerate. Additionally, some subdomains may be hosted on different DNS providers or have different DNS records than the main domain, so they may not be identified by querying the Cloudflare-hosted DNS records.

Passive subdomain enumeration using public datasets

Public datasets can be used for passive subdomain enumeration by analyzing large amounts of publicly available data to identify subdomains associated with a particular domain.

To use public datasets for passive subdomain enumeration, you can search for and analyze datasets that contain information about domains and their associated IP addresses, such as Common Crawl or the Wayback Machine. You can also search for datasets that contain information about subdomains, such as the results of previous penetration testing or bug bounty programs.

By analyzing these datasets, you can identify subdomains that are associated with the target domain and that may be interesting targets for further testing. You can also use tools like JHOVE or FRED to automate the process of analyzing the datasets.

Note that while public datasets can be a valuable source of information for passive subdomain enumeration, the information may not always be up-to-date, and some subdomains may not be listed in the dataset. Additionally, some datasets may contain inaccurate or outdated information, so it is important to validate the results before using them in a security assessment.

Leave a Reply

Fill in your details below or click an icon to log in:

Gravatar
WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Cancel

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.