This is a guide to discovering website subdomains. I'll be going over the basics of what subdomains are, why you should be searching for them, and how to actually find them.
Assumed knowledge:
- Basic Linux/Unix commands
What are Subdomains?
On the surface, a subdomain is just an additional, prepended part to a domain name. In the example "dev.mytotallysecurewebsite.com", "mytotallysecurewebsite.com" is the root domain and "dev" is the subdomain.
As a developer, creating subdomains allows you to make a totally independent site, but still use your root domain. For example, it's common to create a subdomain where you test new features that aren't ready to be deployed on the official website yet.
Development subdomains are often used to "hide" new and untested features. By just visiting mytotallysecurewebsite.com, an average user has no way of knowing that something like dev.mytotallysecurewebsite.com exists.
Why Should I Find Subdomains?
Usually, a development/testing subdomain is the developer's dirty little secret. Many companies will put a lot of money and effort into making sure their root domain is as secure as possible, but then totally neglect their subdomains under the assumption that they'll never be discovered.
But without proper controls such as firewalls, subdomains will eventually be found. You can't hide anything from Google - or a particularly curious hacker.
If you're a developer with "hidden" subdomains, it's good practice to run your site against some subdomain enumerators. Because if you can find it, someone else probably already has.
As a pentester, subdomain enumeration is going to be a critical part of your reconnaissance. Subdomains are likely to contain A LOT more vulnerabilities than the root domain. Searching for subdomains is one of the first things I do when deciding how I'll be testing a website.
Find Subdomains Using Google
I don't know why you'd do this instead of just using an automated tool. But here's how.
Using Google's "site:" filter, we can see some of the subdomains Google has discovered for a site.
We can then add the "-inurl:" filter to exclude the subdomains we've already found, allowing us to see more.
You can keep iterating like this until you run out of subdomains, or get bored and just use an automatic tool instead. There are hundreds of decent subdomain enumeration tools, so instead of just dumping a bunch of them on you, I'll list only the ones I regularly use. Please don't yell at me if I missed your favorite!
Disclaimer: some of these tools are brute force and will trigger alarms. Alarms can be fine in some cases, but unideal in others.
Censys.io
Censys.io is a pretty awesome tool that gives you a lot of information about a website. It can be used to potentially find subdomains with the following search string: https://censys.io/certificates?q=.examplesite.com
There's also a decent tool on Github for automatically finding subdomains with Censys.io certificates.
Pentest-Tools
Pentest-Tools is another web app that finds subdomains. It's pretty easy to use - just type in the root domain and hit scan.
Aquatone
Aquatone-discover is one of my favorite subdomain tools. It takes a bit of time to run, but it's generally pretty robust and will yield a lot of results. Usually, I'll run Aquatone-discover first, and then get the other tools going while I wait for Aquatone to finish.
Sublist3r
Sublist3r is seriously amazing. Sublist3r uses open-source intelligence to find subdomains and will usually give you results within minutes. It's great for when you're itching to get started. By the time my other tools are done running, I've usually already taken a quick look at all the domains Sublist3r has given me.
Scavenging
Face it - you're probably not the best hacker out there. Anything you're doing, someone else might have already done better.
One of the things I like to try is Googling "site:github.com hosts example.com", or just "site:github.com" with one or two subdomains that I've already discovered. If you're lucky, someone has probably already made a dump of subdomains for the site you're testing (or unlucky, if this is a site you own).
Apart from searching in Github, Pastebin can have results too. This is a great way to save yourself a bit of effort if you're doing bug bounties where many pentesters have already checked out the site.
Putting it All Together
If you're a web developer and have subdomains, runnings scans on your website is a great way to check how exposed you are. Don't assume that no one will find your subdomains just because you've configured your robots.txt.
If you're a pentester, this is a vital step to understanding the attack surface of your target. If you're doing bug bounties with wide scopes, sometimes it's worthwhile to even ignore the official domain altogether and only focus your efforts on the subdomains.
Happy hacking!
This post was originally published on explainhownow.com
Top comments (11)
I also open robots.txt to find out what they're hiding ππ€£
Always a favorite! π€£
Aquatone and Sublist3r's scanning could trigger alarms on some systems. It is seen as a brute-force attack, or potential denial of service attack.
If you're on an internal network you can also use DNS tools. Usually sub-domain record transfer is disabled (I forget the tecgnical term), but if doing an internal audit perhaps you can have a machine that allows it.
Good point on the alarms! I kinda assume someone is doing a bug bounty or testing their own server, so alarms aren't a big deal. But if you're pentesting for a client (or doing something naughty) then alarms should be considered. I'll add in a quick disclaimer.
Thatβs true. Then you can try something like spyse.com. They already did everything for you. But still, sometimes you need to run the process yourself, youβll just need proxy to do that.
Also, as far as I know, guys from spyse are going to add an opportunity to scan all those things with the help of their service.
You're doing it the hard way!
crt.sh with a wildcard to search for any issued certificates, then dnsdumpster for a free review of censys scans to get any domains mentioned in headers or self signed certs exposed to the internet.
Thanks for the tip! I'll look into that and update the post.
Don't forget utilising tools like VirusTotal. You'll probably find most there and won't trigger alarms.
virustotal.com/#/domain/yahoo.com
Censys and pentest-tools will not show you all subdomains, especially of government-related websites. Google.com is not indexing a lot of hidden parts. For me, spyse is a golden mean.
This is why each of my development severs has a hard coded list of approved CIDRs that can access them. ACLs are neat!
Is it possible to use nslookup for finding sub domains?