Hey guys it’s Yash Again, Today we are going to learn about Importance of Subdomain enumeration ; Ya Ya i know that many of you know how to perform subdomain BUT Do You Really know how to preform sub-domain Enumeration IN DEPTH, Today I Am Talking About Hidden way of subdomain enumeration that Top Bug Bounty Hunter USE In there Sub-domain Enumeration Part. with Best Wordlists Out There
Common Ways of finding subdomains using tools. so i am not going to Explain all the things But today i’ll cover only IMPORTANT thing that i think New bug bounty hunter should know
Top tools that i think bug bounty hunter should use 1st is Our favorite is Amass, Then subfinder so i am not going to spend a lot of time for explaining these tools i will provide there commands below You can use the help menu for understanding this flags/commands
amass enum -passive -norecursive -noalts -d $Domain -o Output.txt
subfinder -d $domain -v -t 25 -o subfinder.txt
I personally Use this flags/commands while using this tools
so Now main part of the story In-Depth Approach
How many of you know the OneForAll, A Powerful Chinese Subdomain Enumeration Tool
OneforAll tools is Killer tool for finding sub-domains You can read this tool information Here & Also You Can Download this Tool using follwoing command
git clone https://github.com/shmilylty/OneForAll.git ; cd OneForAll/ ; python3 -m pip install -U pip setuptools wheel ; pip3 install -r requirements.txt ; python3 oneforall.py --help
Just keep in mind that → python3
should be at least version 3.8.0
and pip3
at least version 19.2.2.
I think many people know how to brute force sub-domains. In this blog i am going to share my tools that i use in the sub-domain brute forcing, wordlists , best wordlists accroding to me. Using those wordlist i get unique sub-domains that are freash.
for sub-domain brute forcing i use PureDNS tool command will be provided below. for more information you can read This
I use SecLists, FuzzDB And You Can use this AssetNote wordlists. And i want to highlight this best-dns-wordlist.txt make sure to use this file for sub-domain brute forcing.
Try Lots of differents wordlists for brute forcing. Using this method you will find a lot of unique sub-domains After Getting most of the sub-domains try to find the sub-domain takeover.
puredns bruteforce ~/w/SecLists/Discovery/DNS/dns-Jhaddix.txt $domain -r ~/w/purednsResolvers/resolvers.txt >> puredns2.txt
And You can use this file as an resolvers
Also i have lots of Other methods too we will discus them in another blog post happy Hunting All 🎔 & also i don’t want to make this blog big so.
Using Above listed method i am able to find some cool bugs like sqli, Rxss, Sensitive information disclosure.
In this blog we talk about the best wordlists for sub-domain brute forcing tool that i personally use for sub-domain brute forcing & One Powerfull tool that is OneforAll
Thank You ❟❛❟ Make Sure to Follow on Medium. I am going to write More blogs about Bug Bounties & Security Research.