Subdomain/Virtual Host Enumeration
Last updated
Last updated
Hack Responsibly.
Always ensure you have explicit permission to access any computer system before using any of the techniques contained in these documents. You accept full responsibility for your actions by applying any knowledge gained here.
amassThe OWASP Amass Project performs network mapping of attack surfaces and external asset discovery using open source information gathering and active reconnaissance techniques.
Information Gathering Techniques:
Amass comes with 5 different subcommands. They are intel, enum, track, viz and db. Their purposes are shown below, copy pasta straight from the amass docs for your convenience.
amass intel — Discover targets for enumerations
amass enum — Perform enumerations and network mapping
amass viz — Visualize enumeration results
amass track — Track differences between enumerations
amass db — Manipulate the Amass graph database
If you feed IP addresses to Amass and give it the -active flag, it pulls the SSL certificate from every IP address within the IP range and then spits back the domain that the SSL cert is associated with.
Every scan that you do with amass is automatically stored on the computer that you ran it on. If you run the same scan again, amass will track any changes that have taken place since your last scan. The most obvious way to use this feature is to discover which subdomains have appeared since your last scan. For example, if you run amass enum -d $domain one month, then run it again on the same domain again the following month, you can run amass track -d $domain and it will tell you anything that has changed between the two runs.
TODO: Add examples, link to relevant Hack the Box writeups
dir - the classic directory brute-forcing mode
dns - DNS subdomain brute-forcing mode
s3 - Enumerate open S3 buckets and look for existence and bucket listings
vhost - virtual host brute-forcing mode (not the same as DNS!)
Wordlists can be piped into gobuster via stdin by providing a - to the -w option:
Note: If the -w option is specified at the same time as piping from STDIN, an error will be shown and the program will terminate.
You can supply pattern files that will be applied to every word from the wordlist. Just place the string {GOBUSTER} in it and this will be replaced with the word. This feature is also handy in s3 mode to pre- or postfix certain patterns.
Caution: Using a big pattern file can cause a lot of request as every pattern is applied to every word in the wordlist.
Automated tool that uses many other tools to fully enumerate a domain and report IPs, subdomains, vulnerability to subdomain takeover, and much more!
While navigating through target website with Burp try each of these in order of increasing noisiness:
Without passive scanner
Set forms to auto submit
Change Scope in Advanced settings, any protocol and one relevant keyword
Select all sitemap, Engagement Tools -> Analyze target
TODO: Test each tool, get links, and add usage examples
Use aquatone to validate subdomains by taking screenshots and generating a report of findings. Best used with Chromium browser. Creates the following files and folders in the current directory:
aquatone_report.html: An HTML report to open in a browser that displays all the collected screenshots and response headers clustered by similarity.
aquatone_urls.txt: A file containing all responsive URLs. Useful for feeding into other tools.
aquatone_session.json: A file containing statistics and page data. Useful for automation.
headers/: A folder with files containing raw response headers from processed targets
html/: A folder with files containing the raw response bodies from processed targets. If you are processing a large amount of hosts, and don't need this for further analysis, you can disable this with the -save-body=false flag to save some disk space.
screenshots/: A folder with PNG screenshots of the processed targets
Can send output to a specified directory with the -out $directory argument.
By default, aquatone will scan target hosts with a small list of commonly used HTTP ports: 80, 443, 8000, 8080 and 8443. You can change this to your own list of ports with the -ports flag:
aquatone also supports aliases of built-in port lists to make it easier for you:
small: 80, 443
medium: 80, 443, 8000, 8080, 8443 (same as default)
large: 80, 81, 443, 591, 2082, 2087, 2095, 2096, 3000, 8000, 8001, 8008, 8080, 8083, 8443, 8834, 8888
xlarge: 80, 81, 300, 443, 591, 593, 832, 981, 1010, 1311, 2082, 2087, 2095, 2096, 2480, 3000, 3128, 3333, 4243, 4567, 4711, 4712, 4993, 5000, 5104, 5108, 5800, 6543, 7000, 7396, 7474, 8000, 8001, 8008, 8014, 8042, 8069, 8080, 8081, 8088, 8090, 8091, 8118, 8123, 8172, 8222, 8243, 8280, 8281, 8333, 8443, 8500, 8834, 8880, 8888, 8983, 9000, 9043, 9060, 9080, 9090, 9091, 9200, 9443, 9800, 9981, 12443, 16080, 18091, 18092, 20720, 28017
aquatone can make a report on hosts scanned with the Nmap or Masscan port scanners. Simply feed aquatone the XML output and give it the -nmap flag to tell it to parse the input as Nmap/Masscan XML:
If you like this content and would like to see more, please consider buying me a coffee!
Technique
Data Sources
DNS
Brute forcing, Reverse DNS sweeping, NSEC zone walking, Zone transfers, FQDN alterations/permutations, FQDN Similarity-based Guessing
Scraping
Ask, Baidu, Bing, BuiltWith, DNSDumpster, HackerOne, IPv4Info, RapidDNS, Riddler, SiteDossier, Yahoo
Certificates
Active pulls (optional), Censys, CertSpotter, Crtsh, FacebookCT, GoogleCT
APIs
AlienVault, Anubis, BinaryEdge, BGPView, BufferOver, C99, CIRCL, Cloudflare, CommonCrawl, DNSDB, GitHub, HackerTarget, Mnemonic, NetworksDB, PassiveTotal, Pastebin, RADb, ReconDev, Robtex, SecurityTrails, ShadowServer, Shodan, SonarSearch, Spyse, Sublist3rAPI, TeamCymru, ThreatBook, ThreatCrowd, ThreatMiner, Twitter, Umbrella, URLScan, VirusTotal, WhoisXML, ZETAlytics, ZoomEye
Web Archives
ArchiveIt, ArchiveToday, Wayback