قالب وردپرس درنا توس
Home / Tips and Tricks / How to detect hidden subdomains on any site with Subfinder «Zero Byte :: WonderHowTo

How to detect hidden subdomains on any site with Subfinder «Zero Byte :: WonderHowTo



When approaching a target, it is imperative to have an accurate and detailed attack plan. One of the main goals is to increase the attack area because the more opportunities there are for exploitation, the greater the chance of success. Subdomain enumeration is a method used to increase the attack area, and we use a tool called Subfinder to detect hidden subdomains.

Overview of enumeration of subdomains

Enumeration of subdomains is an indispensable, often overlooked part of the reconnaissance phase. It is basically the process of finding subdomains for a particular domain or set of domains. This listing can often reveal many subdomains that are hidden or not exposed in public ̵

1; plus the chance of finding vulnerabilities on forgotten resources is generally much higher than on those that more often tend to.

Things like admin panels, staging points and other internal resources are often found on subdomains of the target. The idea is that if it is not on the main page, it can not be found – this can not be further from the truth. As we will soon learn, it is trivial for attackers to reveal hidden subdomains, increase the attack surface and possibly find additional vulnerabilities or other juicy information.

There are a variety of methods that attackers use to enumerate subdomains for a target. One method uses certificate trust logs to retrieve information about available subdomains. This can be a sneaky approach, but the downside is sometimes that not many results are returned.

Another popular method of enumerating subdomains uses passive sources for reconnaissance. Sublist3r used to be going to tools for this type of reconstruction, but it has not had much development lately and has since fallen in favor of many security people.

Fortunately, Subfinder can fill that gap. Written in the Go programming language, it is simple, easy and optimized for speed. The code base is modular, which makes it easy to contribute and build on, and support for stdin and stdout is included for easy workflow integration.

Installs Subfinder

To get started with Subfinder, Go must be installed on our system. The easiest way to do this is through the package manager:

~# apt install golang

Then we can take the latest release from GitHub:

~# wget https://github.com/projectdiscovery/subfinder/releases/download/v2.4.5/subfinder_2.4.5_linux_amd64.tar.gz

--2020-09-28 14:20:28--  https://github.com/projectdiscovery/subfinder/releases/download/v2.4.5/subfinder_2.4.5_linux_amd64.tar.gz
Resolving github.com (github.com)... 140.82.112.4
Connecting to github.com (github.com)|140.82.112.4|:443... connected.
HTTP request sent, awaiting response... 302 Found
Location: https://github-production-release-asset-2e65be.s3.amazonaws.com/127519518/40182b80-ff6f-11ea-88c9-501330b47615?X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-Credential=AKIAIWNJYAX4CSVEH53A%2F20200928%2Fus-east-1%2Fs3%2Faws4_request&X-Amz-Date=20200928T192028Z&X-Amz-Expires=300&X-Amz-Signature=840414749207876b50c712ca386d8bfd3594a60419a4ff379684652065d9fc0a&X-Amz-SignedHeaders=host&actor_id=0&key_id=0&repo_id=127519518&response-content-disposition=attachment%3B%20filename%3Dsubfinder_2.4.5_linux_amd64.tar.gz&response-content-type=application%2Foctet-stream [following]
--2020-09-28 14:20:28--  https://github-production-release-asset-2e65be.s3.amazonaws.com/127519518/40182b80-ff6f-11ea-88c9-501330b47615?X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-Credential=AKIAIWNJYAX4CSVEH53A%2F20200928%2Fus-east-1%2Fs3%2Faws4_request&X-Amz-Date=20200928T192028Z&X-Amz-Expires=300&X-Amz-Signature=840414749207876b50c712ca386d8bfd3594a60419a4ff379684652065d9fc0a&X-Amz-SignedHeaders=host&actor_id=0&key_id=0&repo_id=127519518&response-content-disposition=attachment%3B%20filename%3Dsubfinder_2.4.5_linux_amd64.tar.gz&response-content-type=application%2Foctet-stream
Resolving github-production-release-asset-2e65be.s3.amazonaws.com (github-production-release-asset-2e65be.s3.amazonaws.com)... 52.216.26.20
Connecting to github-production-release-asset-2e65be.s3.amazonaws.com (github-production-release-asset-2e65be.s3.amazonaws.com)|52.216.26.20|:443... connected.
HTTP request sent, awaiting response... 200 OK
Length: 3892616 (3.7M) [application/octet-stream]
Saving to: ‘subfinder_2.4.5_linux_amd64.tar.gz’

subfinder_2.4.5_linux_amd64.tar.gz        100%[=====================================================================================>]   3.71M  6.80MB/s    in 0.5s

2020-09-28 14:20:29 (6.80 MB/s) - ‘subfinder_2.4.5_linux_amd64.tar.gz’ saved [3892616/3892616]

And extract it in our current work catalog:

~# tar xzf subfinder_2.4.5_linux_amd64.tar.gz

Then we can move the binary to a directory in our path so we can run it anywhere:

~# cp subfinder /usr/local/bin/

Now we can easily run Subfinder anywhere in our system:

~# subfinder

        _     __ _         _
____  _| |__ / _(_)_ _  __| |___ _ _
(_-< || | '_   _| | ' / _  / -_) '_|
/__/_,_|_.__/_| |_|_||___,____|_| v2.4.5

                projectdiscovery.io

[WRN] Use with caution. You are responsible for your actions
[WRN] Developers assume no liability and are not responsible for any misuse or damage.
[WRN] By using subfinder, you also agree to the terms of the APIs used.

[INF] Configuration file saved to /root/.config/subfinder/config.yaml
[FTL] Program exiting: no input list provided

Used -hrs flag to see usage and help information:

~# subfinder -h

Usage of subfinder:
  -all
        Use all sources (slow) for enumeration
  -cd
        Upload results to the Chaos API (api-key required)
  -config string
        Configuration file for API Keys, etc (default "/root/.config/subfinder/config.yaml")
  -d string
        Domain to find subdomains for
  -dL string
        File containing list of domains to enumerate
  -exclude-sources string
        List of sources to exclude from enumeration
  -json
        Write output in JSON lines Format
  -ls
        List all available sources
  -max-time int
        Minutes to wait for enumeration results (default 10)
  -nC
        Don't Use colors in output
  -nW
        Remove Wildcard & Dead Subdomains from output
  -o string
        File to write output to (optional)
  -oD string
        Directory to write enumeration results to (optional)
  -oI
        Write output in Host,IP format
  -oJ
        Write output in JSON lines Format
  -r string
        Comma-separated list of resolvers to use
  -rL string
        Text file containing list of resolvers to use
  -recursive
        Use only recursive subdomain enumeration sources
  -silent
        Show only subdomains in output
  -sources string
        Comma separated list of sources to use
  -t int
        Number of concurrent goroutines for resolving (default 10)
  -timeout int
        Seconds to wait before timing out (default 30)
  -v    Show Verbose output
  -version
        Show version of subfinder

A useful feature of Subfinder is that it can use API keys from a variety of services for more thorough enumeration. The configuration file is created automatically when Subfinder is run for the first time and is usually located under the home directory:

~# nano ~/.config/subfinder/config.yaml

Scroll down to the bottom, there is a section where API keys can be entered:

binaryedge: example-api-key-goes-here-1a2b3c4d
censys: []
certspotter: []
chaos: []
dnsdb: []
github: []
intelx: []
passivetotal: []
recon: []
robtex: []
securitytrails: []
shodan: []
spyse: []
threatbook: []
urlscan: []
virustotal: []
zoomeye: []
subfinder-version: ""

Now that everything is configured, let's list some subdomains.

Find subdomains with Subfinder

The most basic way to use Subfinder is to provide it with a domain to enumerate - use -d flag to do so:

~# subfinder -d wonderhowto.com

        _     __ _         _
____  _| |__ / _(_)_ _  __| |___ _ _
(_-< || | '_   _| | ' / _  / -_) '_|
/__/_,_|_.__/_| |_|_||___,____|_| v2.4.5

                projectdiscovery.io

[WRN] Use with caution. You are responsible for your actions
[WRN] Developers assume no liability and are not responsible for any misuse or damage.
[WRN] By using subfinder, you also agree to the terms of the APIs used.

[INF] Enumerating subdomains for wonderhowto.com
piano.wonderhowto.com
hobbies-toys.wonderhowto.com
actionscript.wonderhowto.com
potato-gun.wonderhowto.com
techhutus.wonderhowto.com
wealth.wonderhowto.com
oldrepublic.wonderhowto.com

...

zines.wonderhowto.com
pilates.wonderhowto.com
lifestylewebtv.wonderhowto.com
canning.wonderhowto.com
magic-the-gathering.wonderhowto.com
ls1www.wonderhowto.com
[INF] Found 1018 subdomains for wonderhowto.com in 5 seconds 901 milliseconds

You can see how fast this is and discover more than a thousand subdomains in five seconds. To increase the size and list the source of enumeration, we can add -v flag:

~# subfinder -d wonderhowto.com -v

        _     __ _         _
____  _| |__ / _(_)_ _  __| |___ _ _
(_-< || | '_   _| | ' / _  / -_) '_|
/__/_,_|_.__/_| |_|_||___,____|_| v2.4.5

                projectdiscovery.io

[WRN] Use with caution. You are responsible for your actions
[WRN] Developers assume no liability and are not responsible for any misuse or damage.
[WRN] By using subfinder, you also agree to the terms of the APIs used.

[INF] Enumerating subdomains for wonderhowto.com
[hackertarget] djbyron200.wonderhowto.com
[hackertarget] rat-pack-election-10.wonderhowto.com
[hackertarget] xbox-360.wonderhowto.com
[hackertarget] wizard101.wonderhowto.com
[hackertarget] fifa-11.wonderhowto.com
[hackertarget] tech911.wonderhowto.com

...

Sometimes it is also useful to be able to hide everything except the results - this can be especially useful for scripts and automation. Use only -silent flag to output only subdomains:

~# subfinder -d wonderhowto.com -silent

embird.wonderhowto.com
php.wonderhowto.com
adobe-fireworks.wonderhowto.com
medical-diagonosis.wonderhowto.com
paralympic.wonderhowto.com
lifeschool.wonderhowto.com

...

We can also save the results in an output file for later use with -The flag:

~# subfinder -d wonderhowto.com -o results.txt

        _     __ _         _
____  _| |__ / _(_)_ _  __| |___ _ _
(_-< || | '_   _| | ' / _  / -_) '_|
/__/_,_|_.__/_| |_|_||___,____|_| v2.4.5

                projectdiscovery.io

[WRN] Use with caution. You are responsible for your actions
[WRN] Developers assume no liability and are not responsible for any misuse or damage.
[WRN] By using subfinder, you also agree to the terms of the APIs used.

[INF] Enumerating subdomains for wonderhowto.com
ceramics.wonderhowto.com
motocross.wonderhowto.com
cricket.wonderhowto.com
3ds-max.wonderhowto.com

...

Subfinder can also take a list of domains to list. Used -dL flag followed by the list of domains:

~# subfinder -dL subs.txt

        _     __ _         _
____  _| |__ / _(_)_ _  __| |___ _ _
(_-< || | '_   _| | ' / _  / -_) '_|
/__/_,_|_.__/_| |_|_||___,____|_| v2.4.5

                projectdiscovery.io

[WRN] Use with caution. You are responsible for your actions
[WRN] Developers assume no liability and are not responsible for any misuse or damage.
[WRN] By using subfinder, you also agree to the terms of the APIs used.

[INF] Enumerating subdomains for wonderhowto.com
australia.wonderhowto.com
bridge.wonderhowto.com
scavenger-hunt.wonderhowto.com

...

Alternatively, we can pipe the list as input to Subfinder:

~# cat subs.txt | subfinder

        _     __ _         _
____  _| |__ / _(_)_ _  __| |___ _ _
(_-< || | '_   _| | ' / _  / -_) '_|
/__/_,_|_.__/_| |_|_||___,____|_| v2.4.5

                projectdiscovery.io

[WRN] Use with caution. You are responsible for your actions
[WRN] Developers assume no liability and are not responsible for any misuse or damage.
[WRN] By using subfinder, you also agree to the terms of the APIs used.

[INF] Enumerating subdomains for wonderhowto.com
ediblesinjars.wonderhowto.com
www.googleplus.wonderhowto.com

...

By default, Subfinder uses only some of the sources to detect hidden subdomains and selects speed instead of accuracy. But we can make it possible for the tool to use all sources with -All alternative:

~# subfinder -d wonderhowto.com -all

        _     __ _         _
____  _| |__ / _(_)_ _  __| |___ _ _
(_-< || | '_   _| | ' / _  / -_) '_|
/__/_,_|_.__/_| |_|_||___,____|_| v2.4.5

                projectdiscovery.io

[WRN] Use with caution. You are responsible for your actions
[WRN] Developers assume no liability and are not responsible for any misuse or damage.
[WRN] By using subfinder, you also agree to the terms of the APIs used.

[INF] Enumerating subdomains for wonderhowto.com
canon5d.wonderhowto.com
teaching.wonderhowto.com
sailing.wonderhowto.com

...

odd.wonderhowto.com
oneplus.wonderhowto.com
fw3.www.wonderhowto.com
[INF] Found 1040 subdomains for wonderhowto.com in 1 minute 400 milliseconds

As you can see it takes a little longer, but a little more results were returned. To easily see all the sources that this tool uses, use -ls flag:

~# subfinder -ls

        _     __ _         _
____  _| |__ / _(_)_ _  __| |___ _ _
(_-< || | '_   _| | ' / _  / -_) '_|
/__/_,_|_.__/_| |_|_||___,____|_| v2.4.5

                projectdiscovery.io

[WRN] Use with caution. You are responsible for your actions
[WRN] Developers assume no liability and are not responsible for any misuse or damage.
[WRN] By using subfinder, you also agree to the terms of the APIs used.

[INF] Current list of available sources. [35]
[INF] Sources marked with an * needs key or token in order to work.
[INF] You can modify /root/.config/subfinder/config.yaml to configure your keys / tokens.

alienvault
anubis
archiveis
binaryedge *
bufferover
cebaidu
censys
certspotter *
certspotterold
chaos *
commoncrawl
crtsh
dnsdumpster
dnsdb *
github *
hackertarget
ipv4info
intelx
passivetotal
rapiddns
riddler
recon *
robtex *
securitytrails *
shodan *
sitedossier
spyse *
sublist3r
threatbook *
threatcrowd
threatminer
virustotal *
waybackarchive
ximcx
zoomeye

As indicated by the information on the screen, sources marked with an asterisk need an API key or token to function properly. To select which sources to use during a scan, -sources switch can be used:

~# subfinder -d wonderhowto.com -v -sources alienvault,censys,zoomeye

        _     __ _         _
____  _| |__ / _(_)_ _  __| |___ _ _
(_-< || | '_   _| | ' / _  / -_) '_|
/__/_,_|_.__/_| |_|_||___,____|_| v2.4.5

                projectdiscovery.io

[WRN] Use with caution. You are responsible for your actions
[WRN] Developers assume no liability and are not responsible for any misuse or damage.
[WRN] By using subfinder, you also agree to the terms of the APIs used.

[INF] Enumerating subdomains for wonderhowto.com
[alienvault] i.wonderhowto.com
[alienvault] img.wonderhowto.com
[alienvault] about-technology.wonderhowto.com
[alienvault] computer-pranks.wonderhowto.com

...

Ends

In this tutorial, we learned a little about enumerating subdomains and how it can be useful for penetration testers and hackers to increase the total attack area. First we installed Subfinder and got it configured on our system. Then we ran through some of the options that this tool has to offer, including listing multiple domains, customizing results, and using API keys to improve the reconstruction. Pretty simple, right?

Do you want to start making money as a white hat hacker? Start your white hat hacking career with our 2020 Premium Ethical Hacking Certification Training Bundle from the new Null Byte Shop and get over 60 hours of training from ethical hacking professionals.

Buy now (90% off)>

Cover image by Mauricio Mascaro / Pexels

Source link