Master Subdomain HUNTING | Art of finding Hidden Assets
2024-1-17 22:49:43 Author: infosecwriteups.com(查看原文) 阅读量:23 收藏

ʏᴀꜱʜʜ

InfoSec Write-ups

Hey guys it’s Yash Again, Today we are going to learn about Importance of Subdomain enumeration ; Ya Ya i know that many of you know how to perform subdomain BUT Do You Really know how to preform sub-domain Enumeration IN DEPTH, Today I Am Talking About Hidden way of subdomain enumeration that Top Bug Bounty Hunter USE In there Sub-domain Enumeration Part. with Best Wordlists Out There

Common Ways of finding subdomains using tools. so i am not going to Explain all the things But today i’ll cover only IMPORTANT thing that i think New bug bounty hunter should know

Top tools that i think bug bounty hunter should use 1st is Our favorite is Amass, Then subfinder so i am not going to spend a lot of time for explaining these tools i will provide there commands below You can use the help menu for understanding this flags/commands

amass enum -passive -norecursive -noalts -d $Domain -o Output.txt
subfinder -d $domain -v -t 25 -o subfinder.txt

I personally Use this flags/commands while using this tools

IN-DEPTH

so Now main part of the story In-Depth Approach

How many of you know the OneForAll, A Powerful Chinese Subdomain Enumeration Tool

OneforAll tools is Killer tool for finding sub-domains You can read this tool information Here & Also You Can Download this Tool using follwoing command

git clone https://github.com/shmilylty/OneForAll.git ; cd OneForAll/ ; python3 -m pip install -U pip setuptools wheel ; pip3 install -r requirements.txt ; python3 oneforall.py --help

Just keep in mind that → python3 should be at least version 3.8.0 and pip3 at least version 19.2.2.

Sub-domain Brute Forcing

I think many people know how to brute force sub-domains. In this blog i am going to share my tools that i use in the sub-domain brute forcing, wordlists , best wordlists accroding to me. Using those wordlist i get unique sub-domains that are freash.

Tools

for sub-domain brute forcing i use PureDNS tool command will be provided below. for more information you can read This

Wordlists

I use SecLists, FuzzDB And You Can use this AssetNote wordlists. And i want to highlight this best-dns-wordlist.txt make sure to use this file for sub-domain brute forcing.

Try Lots of differents wordlists for brute forcing. Using this method you will find a lot of unique sub-domains After Getting most of the sub-domains try to find the sub-domain takeover.

puredns bruteforce ~/w/SecLists/Discovery/DNS/dns-Jhaddix.txt $domain -r ~/w/purednsResolvers/resolvers.txt >> puredns2.txt

And You can use this file as an resolvers

Also i have lots of Other methods too we will discus them in another blog post happy Hunting All 🎔 & also i don’t want to make this blog big so.

POC

Using Above listed method i am able to find some cool bugs like sqli, Rxss, Sensitive information disclosure.

You can connect me On Linkedin & X.

In this blog we talk about the best wordlists for sub-domain brute forcing tool that i personally use for sub-domain brute forcing & One Powerfull tool that is OneforAll

Thank You ❟❛❟ Make Sure to Follow on Medium. I am going to write More blogs about Bug Bounties & Security Research.


文章来源: https://infosecwriteups.com/master-subdomain-hunting-art-of-finding-hidden-assets-3351b3c8467a?source=rss----7b722bfd1b8d--bug_bounty
如有侵权请联系:admin#unsafe.sh