☠️ ζHUB

Subdomains Enumeration

Created: Feb 24, 2025
Updated: Mar 19, 2025

Subdomain enumeration is the process of finding and listing subdomains by checking DNS records. A (or AAAA for IPv6) records map subdomains to their IP addresses, while CNAME records create aliases that point to other domains or subdomains.

There are two main methods for performing subdomain enumeration:

DNSenum

Dnsenum is a multithreaded perl script to enumerate DNS information of a domain and to discover non-contiguous ip blocks.

dnsenum --enum example.com -f /wordlists/subdomains.txt -r

Gobuster

Gobuster is a directory/file, dns and vhost busting tool written in Go.

# DNS subdomain enumeration mode
gobuster dns -d example.com -w /wordlists/subdomains.txt
 
# Using pattern to discover additional subdomains,
# Save the pattern into a file - pattern.txt
i-want-this-pattern-{GOBUSTER}-ok
 
# Execute the gobuster with the given pattern
gobuster dns -r "ns.example.com" -d "example.com" -p pattern.txt -w /wordlists/subdomains.txt

Fierce

Fierce is a DNS reconnaissance tool for locating non-contiguous IP space.

fierce --domain example.com --subdomain-file /wordlists/subdomains.txt

Ffuf

Ffuf is a fast web fuzzer written in Go.

ffuf -u http://FUZZ.example.com -w /wordlists/wordlists.txt

Amass

The OWASP Amass Project performs network mapping of attack surfaces and external asset discovery using open source information gathering and active reconnaissance techniques.

amass enum -d example.com -brute /wordlists/subdomains.txt

Assetfinder

Assetfinder find domains and subdomains potentially related to a given domain.

assetfinder -subs-only example.com

PureDNS

PureDNS is a fast domain resolver and subdomain bruteforcing tool that can accurately filter out wildcard subdomains and DNS poisoned entries.

# It requires massdns installed, and resolvers (https://github.com/trickest/resolvers)
puredns bruteforce /wordlists/subdomains.txt example.com

DNSrecon

Dnsrecon is a python script for DNS enumeration.

dnsrecon -t brt -d example.com -D /wordlists/subdomains.txt

VirusTotal

To receive information about a domain, type the domain name into the search bar and click on the “Relations” tab.

Certificates

Another interesting source of information we can use to extract subdomains is SSL/TLS certificates. To discover additional domain names and subdomains for a target. We can use:

# Query using Crt.sh and save the output
curl -s "https://crt.sh/?q=example.com&output=json" | jq -r '.[] | "\(.name_value)\n\(.common_name)"' | sort -u > output.txt
 
# OpenSSL
openssl s_client -ign_eof 2>/dev/null <<<$'HEAD / HTTP/1.0\r\n\r' -connect "example.com:443" | openssl x509 -noout -text | grep 'DNS' | sed -e 's|DNS:|\n|g' -e 's|^\*.*||g' | tr -d ',' | sort -u

theHarvester

theHarvester is a simple to use, yet powerful tool designed to be used during the reconnaissance stage of a red team assessment or penetration test.

It performs open source intelligence (OSINT) gathering to help determine a domain’s external threat landscape. The tool gathers names, emails, IPs, subdomains, and URLs by using multiple public resources.

# Create a "sources.txt" file, fills with modules for theHarvester.
baidu
bufferoverun
crtsh
hackertarget
otx
projectdiscovery
rapiddns
sublist3r
threatcrowd
trello
urlscan
vhost
virustotal
zoomeye
 
# Execute theHarvester with "sources.txt" file created earlier.
cat sources.txt | while read source; do theHarvester -d "example.com" -b $source -f "${source}-theHarvester"; done
 
# Extract all subdomains into a single file.
cat *.json | jq -r '.hosts[]' 2>/dev/null | cut -d':' -f1 | sort -u > subdomains-theHarvester.txt

Backlinks

  • No backlinks found