Identifying Subdomains Guide - pentestfunctions/Hacking-For-Beginners GitHub Wiki
Subdomain Enumeration Guide for CTF Challenges
This guide provides a comprehensive set of commands and websites for subdomain enumeration targeting example.com in a CTF (Capture The Flag) context.
Table of Contents
- Using Search Engines
- Certificate Transparency Logs
- DNS Brute Forcing
- Checking DNS Zone Transfers
- Third-Party Services
- Subdomain Enumeration Tools
- Archives (Wayback Machine)
- DNS Record Analysis
- Subdomain Takeover Tools
- Additional Online Tools
Using Search Engines
- Google: Use the
site:operator. For example, search forsite:*.example.com. - Bing, Yahoo, Baidu: Similar approach with
site:operator.
Certificate Transparency Logs
- Visit crt.sh and search for
%.example.com.
DNS Brute Forcing
fierce --domain example.com
dnsenum example.com
Checking DNS Zone Transfers
dig axfr example.com @nameserver
Replace nameserver with the actual DNS server of example.com.
Third-Party Services
- VirusTotal: Domain View for
example.com. - Censys: Censys.io search.
- Shodan: Shodan hostname search.
Subdomain Enumeration Tools
amass enum -d example.com
sublist3r -d example.com
subfinder -d example.com
Archives (Wayback Machine)
- Visit the Wayback Machine for
*.example.com. - https://web.archive.org/cdx/search/cdx?url=*.example.com&output=xml&fl=original&collapse=urlkey
- This command if you have zenity installed will launch a box for you to type into if the variable "$target" is not set.
- Use the domain like "site.com" and not "https://site.com" or "www.site.com"
- It will then reach out to the web archive and look for cached webpages, then retrieve the domains. You will also need httpx in path.
- To install httpx you can do so with
go install -v github.com/projectdiscovery/httpx/cmd/httpx@latest
[ -z "$target" ] && target=$(zenity --entry --text "What is your target?" --title "Set Target Variable") && echo "You have chosen: $target"; [ -n "$target" ] && curl -s 'https://web.archive.org/cdx/search/cdx?url=*.owlsec.io&output=xml&fl=original&collapse=urlkey' | grep -oP 'https?://[^/]*' | sort -u | httpx -u $target -title -tech-detect -status-code -cl -ct -location -rt -lc -wc -server -method -ip -cname -cdn -probe -silent
DNS Record Analysis
dig +short example.com
dig +short -t CNAME example.com
Subdomain Takeover Tools
subjack -w subdomains.txt -t 100 -timeout 30 -o results.txt -ssl
knockpy example.com
Additional Online Tools
- DNSDumpster
- https://securitytrails.com/
- https://shodan.io/
- https://securitytrails.com/list/apex_domain/example.com
Note: Always ensure you have permission to perform these actions on the target domain to avoid legal issues.