Infosec: Enumerating subdomains
This posts lists a few ways to enumerate subdomains.
Check registered domains via CA
Google Transparency Report tool: Use this to find domains and list certificates.
Use google search
This will exclude all results with “www.domain.com”, and include everything else.
-site:www.domain.com site:*.domain.com
Brute forcing
Using ffuf
Fast web fuzzer written in Go.
-
Via direct subdomain
ffuf -w ~/infosec/SecLists/Discovery/DNS/namelist.txt -u http://FUZZ.domain.com
-
Via Host header in the request
# This enumerates via 'Host' header in the request
ffuf -w ~/infosec/SecLists/Discovery/DNS/namelist.txt -H "Host: FUZZ.domain.com" -u http://www.domain.com -fs 2395
Similar enumeration tools:
pip3 install dnsrecon
# Installation
pip3 install sublist3r