Finding valid subdomain for our domain, but why? to increase our attack surface and find valid points of entry.
Three types of subdomain enumeration - Brute Force, OSINT and Virtual Host.
When a CA (Certificate Authority) issues the SSL/TLS certificate, the CA takes part in CT (Certificate Transparency) Logs. These are publicly accessible logs of every SSL/TLS certificate created for a particular domain.
OSINT - SSL/TLS Certificates - We can use these logs to enumerate sub domains. Link to check CT logs
OSINT - Search Engines
site:*.tryhackme.com -site:www.tryhackme.com
this will reveal all the subdomain for tryhackme.com
Brute force - using ten and millions of keywords to find valid sub domain. We use tools like dnsrecon to perform this.
Sublist3r is another tool used for the same purpose but it's a speed up version of OSINT enumeration.
Sometimes sub domains are hosted in private DNS servers, if the domain is still in development, then it might be hosted locally on the developer's machine. As multiple websites can be hosted from a server we could find the valid some domain by FUZZing the host name.
ffuf -w /usr/share/wordlists/dnsmap.txt -H "Host: FUZZ.acmeitsupport.thm" -u <http://10.201.84.255>
To filter out invalid we could use -fs
ffuf -w ~/Documents/SecLists/Discovery/DNS/namelist.txt -H "Host: FUZZ.acmeitsupport.thm" -u <http://10.201.84.255> -fs 2395
