We covered the tools and techniques used to enumerate subdomains as part of TryHackMe SubDomain Enumeration room.

OSCP Study Notes

COMPTIA Pentest+ Study Notes

OSINT Study Notes

Introduction to Subdomain Enumeration

Subdomain enumeration is an essential part of domain enumeration, often used in penetration testing to discover additional services or entry points on a target system.The video explores different techniques to enumerate subdomains, using tools such as certificate logs, Google Dorks, and DNS brute-forcing.

SSL/TLS Certificates

When an SSL/TLS (Secure Sockets Layer/Transport Layer Security) certificate is created for a domain by a CA (Certificate Authority), CA’s take part in what’s called “Certificate Transparency (CT) logs”. These are publicly accessible logs of every SSL/TLS certificate created for a domain name. The purpose of Certificate Transparency logs is to stop malicious and accidentally made certificates from being used. We can use this service to our advantage to discover subdomains belonging to a domain, sites like https://crt.sh and https://ui.ctsearch.entrust.com/ui/ctsearchui offer a searchable database of certificates that shows current and historical results.

crt.sh is a website that shows certificate request logs for domains and their subdomains.By entering the target domain, such as tryhackme.com, you can see which subdomains have requested SSL certificates.This method, however, is limited to subdomains that have requested certificates and doesn’t include private or internal subdomains.

Google Dorks

Google Dorks can be used to find indexed subdomains on the web.By using the site: search operator and excluding the main domain, the tester can identify subdomains indexed by Google.

DNS Brute Force

DNS brute forcing involves using predefined subdomain wordlists to find valid subdomains by trying each word in the list.Tools like DNSrecon or Sublist3r can automate this process.The video demonstrates using DNSrecon and Sublist3r to find subdomains for a target domain (e.g., acme.it.support.thm).

Using Sublist3r

Sublist3r is another tool that helps with subdomain enumeration by querying multiple sources (such as search engines and DNS servers).The video shows how to download and run Sublist3r from GitHub for subdomain enumeration.

Virtual Hosts and Fuzzing

Some subdomains may be hosted as virtual hosts, meaning they are not publicly accessible but can be found by fuzzing the DNS server.The tool wfuzz is used to perform this fuzzing by sending requests to the main server and fuzzing for subdomains within the HTTP headers.

The video demonstrates using wfuzz to discover subdomains like delta and yellow, although these subdomains may not be accessible from outside the internal network.

Search Engines

Search engines contain trillions of links to more than a billion websites, which can be an excellent resource for finding new subdomains. Using advanced search methods on websites like Google, such as the site: filter, can narrow the search results. For example, “-site:www.domain.com site:*.domain.com” would only contain results leading to the domain name domain.com but exclude any links to www.domain.com; therefore, it shows us only subdomain names belonging to domain.com.

Bruteforce DNS (Domain Name System) enumeration is the method of trying tens, hundreds, thousands or even millions of different possible subdomains from a pre-defined list of commonly used subdomains. Because this method requires many requests, we automate it with tools to make the process quicker. In this instance, we are using a tool called dnsrecon to perform this.

Some subdomains aren’t always hosted in publically accessible DNS results, such as development versions of a web application or administration portals. Instead, the DNS record could be kept on a private DNS server or recorded on the developer’s machines in their /etc/hosts file (or c:\windows\system32\drivers\etc\hosts file for Windows users) which maps domain names to IP addresses.

Because web servers can host multiple websites from one server when a website is requested from a client, the server knows which website the client wants from the Host header. We can utilise this host header by making changes to it and monitoring the response to see if we’ve discovered a new website.

Like with DNS Bruteforce, we can automate this process by using a wordlist of commonly used subdomains.

Conclusion

The video wraps up by explaining that some subdomains, especially those hosted internally as virtual hosts, may not be accessible through a browser and can only be found through fuzzing.Tools like wfuzz and DNSrecon are essential for uncovering hidden subdomains.

TryHackMe SubDomain Enumeration | Room Answers

What is a subdomain enumeration method beginning with B?

What is a subdomain enumeration method beginning with O?

What is a subdomain enumeration method beginning with V?

What domain was logged on crt.sh at 2020-12-26?
What is the TryHackMe subdomain beginning with S discovered using the above Google search?
What is the first subdomain found with the dnsrecon tool?
What is the first subdomain discovered by sublist3r?
What is the first subdomain discovered?

What is the second subdomain discovered?

Video Walkthrough

About the Author

Mastermind Study Notes is a group of talented authors and writers who are experienced and well-versed across different fields. The group is led by, Motasem Hamdan, who is a Cybersecurity content creator and YouTuber.

View Articles