· Jason Jacobs · 2 min read
A Guide to Subdomain Enumeration - From Passive to Active Methods
Learn comprehensive techniques for subdomain enumeration, covering both passive and active approaches for penetration testing scenarios.
A Guide to Subdomain Enumeration: From Passive to Active Methods
When you’ve acquired a target domain and want to expand your attack surface during a penetration test, subdomain enumeration becomes a crucial first step. This guide walks through various methods, from passive reconnaissance to active enumeration techniques.
Passive Enumeration
Passive enumeration allows us to gather subdomain information without directly interacting with target servers. This stealthy approach avoids generating suspicious traffic to the target infrastructure.
Google Dorking
Using Google’s search operators can reveal subdomains with minimal effort:
- Use the
site:operator (e.g.,site:example.com) - This method, while convenient, isn’t always comprehensive
DNS Dumpster Site
DNS Dumpster provides detailed DNS enumeration including:
- MX records
- TXT records
- Host records
Note: Results may be limited as DNS Dumpster uses a static database.
Security Trails Site
Security Trails offers:
- Current DNS records
- Historical DNS data
- Comprehensive subdomain mapping
Certificate Transparency Site
Leverage SSL/TLS certificate logs through crt.sh to:
- Find subdomains from certificate issuance records
- Discover historical subdomain information
Active Enumeration
Active enumeration involves direct interaction with target infrastructure. This method requires proper authorization as it generates detectable traffic.
Using Sublist3r
Sublist3r is a Python-based tool available for both Linux and Windows. Here’s how to use it:
sublist3r -b -v -d hackerone.com
Flags explained:
-b: Enable DNS brute force-v: Verbose output-d: Specify target domain
GoBuster DNS Mode
While primarily known for directory brute forcing, GoBuster’s DNS mode is effective for subdomain discovery.
Installation:
go install github.com/OJ/gobuster/v3@latest
Usage:
gobuster dns -d hackertarget.com -t 30 -w namelist.txt
Key parameters:
-t: Number of threads (can be increased for faster results)-w: Wordlist path (recommended: SecLists’ Discovery/DNS)
Important Reminder
⚠️ Always ensure you have proper authorization before performing any enumeration activities. Unauthorized testing can result in legal consequences.
Resources
- SecLists DNS Wordlists: GitHub - SecLists/Discovery/DNS
- GoBuster: GitHub - OJ/gobuster
- Sublist3r: GitHub - aboul3la/Sublist3r
Happy Hacking! 🚀
