Subdomain Enumeration

Subdomain enumeration is finding all the subdomains of a main domain. It's like discovering all the branches of a company under its main office. This helps in understanding the full scope of a domain, revealing additional services and potential security vulnerabilities.

Subdomain Enumeration Types‍

Passive Enumeration: Passive enumeration gathers subdomain information without directly interacting with the target. It uses public sources like search engines, certificate transparency logs, and DNS databases to find subdomains without alerting the target.

Active Enumeration: Active enumeration involves directly querying the target's DNS servers to discover subdomains. Tools like DNS brute-forcing and zone transfers are used, which might alert the target but can provide more detailed results.

Permuted Enumeration: Permuted enumeration generates possible subdomain names by altering known subdomains. It uses techniques like adding common prefixes, suffixes, or typos to identify additional subdomains that might not be listed publicly.

Subdomain Enumeration Case

Single Host: This type of enumeration focuses on discovering subdomains for one specific domain. It's useful for in-depth analysis of a single target, allowing for detailed mapping of all related subdomains and services.

Multiple Host: This type of enumeration targets several domains simultaneously. This approach is efficient for large-scale assessments, providing a broader view of subdomain infrastructure across different domains.

Now that subdomain enumeration types and scenarios have been covered, the text will shift focus to practical exercises.

Passive Subdomain Enumeration (single/multiple)

‍Performing passive subdomain enumeration over a single host is a straightforward and simple process using tools like Subfinder or Amass, utilizing public sources for subdomain discovery. For enhanced results, SubEnum can be employed, which uses multiple passive subdomain enumeration tools.

Tool: SubEnum

This is the easiest and quickest way to perform passive subdomain enumeration over single and multiple hosts. Additional sources can be added based on need, and proper API keys should be used for better results.

Active Subdomain Enumeration

‍Numerous tools are available for active subdomain enumeration. This blog specifically covers the use of puredns, while also providing a list of alternative tools.

Tools: PureDNS ShuffleDNS DnsX

Quick and easy results were achieved using a small wordlist on a single host. For larger wordlists and multiple hosts, we turn to Axiom to accelerate the process efficiently.

‍Active Subdomain Enumeration (Horizontal Scaling)

Active Subdomain Enumeration (Horizontal Scaling) involves leveraging multiple resources simultaneously to efficiently discover subdomains across numerous hosts. This approach enhances speed and scalability.

Tool: Axiom

First, the instances need to be initialized to use axiom-scan for active subdomain enumeration. 

Root domains can be passed in a txt file, and the wordlist is defined from the Axiom module. Additional arguments for the puredns tool can also be passed if desired.

Axiom sends the hosts across all the machines and scanning at scale. This boosts the speed, best use case when we have multiple hosts to perform active subdomain enumeration at once.

‍Active Subdomain Enumeration (Vertical Scaling)‍

Active Subdomain Enumeration (Vertical Scaling) optimizes resource utilization to intensify subdomain discovery on a single host. Basically Axiom sends the big wordlist to the different instances and bruteforce the single host from every instance.

Tool: Axiom

From axiom-scan we defined the wordlist and host then axiom split the wordlist across all the instances to bruteforce the single host we provided

This scenario is best when we have a large wordlist like all.txt to use, in general with a 2GB RAM virtual machine it may take around 30 minutes but by scanning at scale we can finish the task within 5 minutes.

‍Permuted Subdomain Enumeration 

During permuted subdomain enumeration, we will utilize both single and multiple enumeration methods. First, we'll generate the permuted subdomain list locally. For this, we are using DnsGen, but you can also use tools like Gotator.

Tool: DnsGen Gotator

To generate the permuted subdomain list we passed the enumerated subdomain both active and passive into dnsgen then removed the duplicates and saved it as a permute.txt file

As the word count is quite large, the scan at scale method will be used to quickly resolve the subdomain list.

In this case, we will use puredns-resolve module 

It took less than 2 minutes to resolve all the subdomains here we can see the resolved subdomain result. 

After the scan, it's important to remove the instances to avoid unnecessary billing.

In conclusion, effective subdomain enumeration combines passive and active techniques, leverages various tools, and scales both horizontally and vertically. By following this guide, you can enhance your subdomain enumeration process and uncover hidden subdomains comprehensively.