Bug Bounty Hub
  • 🚀WELCOME
    • Bug Bounty Hub
    • BBH - Values
    • About the author
  • 🕸️PENTESTING WEB
    • Information Gathering
      • Enumerating ASN and IP blocks
      • Reverse IP Lookup
      • Scanning Open Ports/Services
      • Subdomain Enumeration
        • Active Subdomain Enumeration
        • Passive Subdomain Enumeration
        • Subdomain Permutations
        • Check Alive Subdomains
      • Subdomain Takeover
      • Fuzzing
      • JavaScript Files
      • Endpoints
      • Input Parameters
      • Mapping Attack Surface - Crawling/Spider
      • Fingerprinting
      • Potential Vulnerabilities - Nuclei
    • Client-Side Injection Attacks
    • Server-Side Vulnerabilities
      • Path Traversal/File Inclusion
      • Access Control
      • Authentication
      • Server-side Request Forgery (SSRF)
      • File upload vulnerabilities
      • OS Command Injection
      • SQL Injection
        • MySQL Injection
        • SQLi with SQLMap
    • Authentication
    • Insecure Direct Object Reference (IDOR)
    • Cross-Site Request Forgery Attacks
    • Business Logic Flaws
    • HTTP Verb Tampering
    • Bypass 401 & 403
    • Evading WAFs
    • Reporting
  • 🐣THE BASICS OF WEB
    • HTTP Methods
    • HTTP Response Codes
    • HTTP Headers
      • AWS S3 Buckets Headers
    • HTTP Cookies
    • Encoding
      • URL encoding
      • HTML encoding
      • Base 64 encoding
      • Unicode encoding
    • Web Browsers
      • Same-Origin Policy (SOP)
      • Content Security Policy (CSP)
      • Subresource Integrity Check (SIC)
    • Web Proxies
  • 📚RESOURCES
    • Books
    • Web resources
    • CTF Platforms
  • 🏔️Bug Bounty Platforms
Powered by GitBook
On this page
  • DNSValidator
  • ShuffleDNS
  • Amass
  • Wordlists

Was this helpful?

  1. PENTESTING WEB
  2. Information Gathering
  3. Subdomain Enumeration

Active Subdomain Enumeration

This process involves sending DNS queries or HTTP requests to potential subdomains to identify which ones exist and are accessible. DNS bruteforcing is probably one of the most effective way of finding subdomains. This involves using a wordlist of commonly known subdomains.

Be aware that active subdomain enumeration can generate significant server-side noise and hence potentially leading to rate-limiting by a WAF.

That is why the key to success lies in the balance between stealth and speed.

DNSValidator

Before starting subdomain enumeration it's important to verify that the DNS resolver is supported and effective. For this purpose, DNSValidator can be utilized.

We will feed DNSValidator with a wordlist of external resolvers available at public-dns.info: 

dnsvalidator -tL https://public-dns.info/nameservers.txt -threads 100 -o resolvers.txt

ShuffleDNS

Shuffledns is a fast subdomain enumeration tool that performs DNS resolution by combining wordlists with public or custom DNS resolvers. It primarily focuses on resolving subdomains by brute-forcing them from a list and quickly checking which ones are valid.

shuffledns -d $domain -mode bruteforce -w <wordlist> -r resolvers.txt

Amass

amass enum -d $domain -active -brute 

 # List saved scans in database
 amass db -list

Wordlists

  • Public-dns.info -> https://public-dns.info/nameservers.txt

  • SecLists -> https://github.com/danielmiessler/SecLists/tree/master/Discovery/DNS

  • AssetNote -> https://wordlists-cdn.assetnote.io/data/manual/best-dns-wordlist.txt

PreviousSubdomain EnumerationNextPassive Subdomain Enumeration

Last updated 5 months ago

Was this helpful?

🕸️