Day 39: Security Recon subdomain enumeration
In pentesting/whitehat hacking, subdomain enumeration is part of reconaissance where we attempt to find subdomains from a main target.
Subdomain enumeration are usually based on two main techniques.
- Finding subdomains by scraping search engines
- Finding subdomains by trial and error using wordlists of common names.
Scraping search engines
Basically the main domain is searched in searched engines and we see if that particular domain has some usable subdomains.
Sublist3r is one of my favourite tools for subdomain enumeration.
#Clone repository git clone https://github.com/aboul3la/Sublist3r #Go to cloned directory cd Sublist3r/ #Install all prerequisites from requirements file, I'm using python3 sudo pip3 install -r requirements.txt #Check if installation working python3 sublist3r.py -h
#I'm outputting the results to my .txt file python3 sublist3r.py -d codarren.com -o codarren.com_OUT_DOMAIN.txt
Why use a subdomain enumeration tool ?
The basis of its usage lies in the logic that besides the main domain, which is normally well protected.
There may be subdomains which are not ‘as’ protected as the main high traffic site.
This might be a target for unethical hackers. And that’s why we check these potential targets in pentesting.