Subdomain Enumeration

SSL/TLS certs

• Certificate Transparency logs can help find subdomains

• these are publically accessible logs

• these can be viewed at sites like

  • http://crt.sh/

  • https://ui.ctsearch.entrust.com/ui/ctsearchui

Search Engines

• search engines can be used with filters to find subdomains

/site:*.domain.com -site:www.domain.com

DNSRecon

dnsrecon -t brt -d domain.com

Sublist3r

sublister.py -d domain.com

Virtual Hosts

• ffuf can be used to find subdomains

ffuf -w /usr/share/wordlists/SecLists/Discovery/DNS/namelist.txt -H "Host: FUZZ.domain.com" -u http://MACHINE_IP

• The above command will always produce valid results, we need to use -fs to filter by pagesize. Filter this with the most occurring size value.

ffuf -w /usr/share/wordlists/SecLists/Discovery/DNS/namelist.txt -H "Host: FUZZ.acmeitsupport.thm" -u http://MACHINE_IP -fs {size}