hunting-subdomains.md

description
Passive and Active recon

Hunting Subdomains

The goal here is to increase our attack surface.

Can we find lucrative subdomains that will assist in leveraging our attacks?

Example:

If we are targetting apple.com, what if there is a vulnerable web app on dev.apple.com?

Sublist3r

Installation (apt):

apt install sublist3r -y

Syntax Usage:

sublist3r -d apple.com

• If the tool is running slow, utilize the -t option and increase the amount of threads

sublist3r -d apple.com -t 100

Certificate Fingerprinting

{% embed url="https://www.google.com/url?sa=t&rct=j&q=&esrc=s&source=web&cd=&cad=rja&uact=8&ved=2ahUKEwjTyJjbhMT6AhUBElkFHaBsC_wQFnoECAwQAQ&url=https%3A%2F%2Fcrt.sh%2F&usg=AOvVaw0x-O9bg7JBcCIcp4fEMZV1" %}

On this site, the % is a wildcard that is placed before the domain.

Example:

%.apple.com

OWASP Amass

This is a DNS enumeration tool that assists an attacker in mapping the attack surface of a target through means of external asset discovery.

GitHub Repo:

{% embed url="https://github.com/OWASP/Amass" %}

{% embed url="https://owasp.org/www-project-amass/" %}

HTTP Probing -- Is it alive?

{% embed url="https://github.com/tomnomnom/httprobe" %}

This tool will take a list of domains and probe them for alive http/https servers.