Open in app

Sign in

Write

Sign in

From Enumeration to Takeover: Crack the Code of Subdomain Vulnerabilities!

enigma
5 min readSep 27, 2024

--

In the world of bug bounty hunting, subdomain enumeration is an essential skill for uncovering hidden parts of a target’s web infrastructure. Subdomains can house sensitive information, misconfigurations, and unprotected resources that can lead to vulnerabilities like subdomain takeovers.

This guide will walk you through a powerful subdomain enumeration methodology, showcasing tools like Google Dorking, OWASP Amass, Gobuster, and more to discover hidden endpoints and assess vulnerabilities.

Methodology Overview

The steps to mastering subdomain enumeration and takeover involve:

  1. Enumerating subdomains from different sources.
  2. Removing duplicates from the lists.
  3. Collecting CNAME records.
  4. Enumerating live subdomains.
  5. Identifying any abnormal behavior.
  6. Analyzing results to find potential takeovers or security issues.

Step 1: Collecting Subdomains

The first step is to gather as many subdomains as possible. We’ll start with Google Dorking, followed by passive enumeration with tools like OWASP Amass and brute-force techniques using Gobuster.

Subdomain enumeration with Google Dorking, OWASP Amass, and Gobuster

Passive Subdomain Enumeration with Google Dorking

site:*.redacted.com -www -www1 -blog
site:*.*.redacted.com -product

Google Dorking can reveal publicly indexed subdomains. The site: operator restricts the search to the target domain (redacted.com), while the -www, -blog filters out common subdomains. This helps you focus on finding lesser-known subdomains.

Passive Subdomain Enumeration with OWASP Amass

amass enum -passive -d redacted.com -config config.ini -o amass_passive_subs.txt

Amass is a powerful tool for passive subdomain enumeration, gathering subdomains from various public sources. The -passive flag ensures that it only uses passive methods, avoiding active probing that could alert the target. Results are saved to amass_passive_subs.txt.

Subdomain Brute Force Using Gobuster

gobuster dns -d redacted.com -w wordlist.txt -show-cname -no-color -o gobuster_subs.txt

Gobuster performs brute force enumeration by trying a large list of potential subdomains against the target domain (redacted.com). The -w wordlist.txt flag specifies the wordlist file, and -show-cname enables showing CNAME records in the output.

Subfinder and Assetfinder for Comprehensive Subdomain Enumeration

subfinder -dL domains.txt -all -recursive -o subs.txt
cat domains.txt | assetfinder --subs-only | tee -a subs2.txt

Subfinder and Assetfinder are additional tools that can enumerate subdomains from different sources. Here, subfinder reads domains from domains.txt, performs recursive searches, and outputs the results to subs.txt. Similarly, assetfinder finds subdomains and appends them to subs2.txt.

Step 2: Sorting Subdomain Results

After collecting subdomains from multiple tools, it’s important to remove duplicates and consolidate them into a single file for further analysis.

Yeah..,We Will become As Hackers😶‍🌫️.

Removing Duplicates with Anew

# Merging subdomain results into a single file
cat google_subs.txt amass_passive_subs.txt gobuster_subs.txt | anew subdomains.txt

Here, we use the Anew tool to merge all subdomain results into subdomains.txt. This command combines the output from Google Dorking, Amass, and Gobuster while eliminating duplicates.

Combining and Sorting Subdomains

cat subs.txt subs2.txt | sort -u | tee -a all-subs.txt

This command merges subs.txt and subs2.txt, sorts them in unique order (-u), and appends the results to all-subs.txt. This provides a cleaned and sorted list of unique subdomains from all sources.

Step 3: Identifying Subdomain Takeover Opportunities

Subdomain takeovers occur when a subdomain points to a non-existent service. Identifying this involves probing the subdomains for unresolved DNS records.

Checking for Possible Subdomain Takeover

nslookup subdomain.com
host subdomain.com

These basic commands (nslookup and host) check if the subdomain is resolving properly. If they return NXDOMAIN (non-existent domain) or a "not resolved" response, this could indicate a subdomain takeover opportunity.

In response if nxdomain returned or domain name not resolved then most probability subdomain takeover is possible

Step 4: Collecting CNAME Records

Collecting CNAME records helps you identify third-party services or potential misconfigurations.

Enumerating CNAME Records

./cname.sh -l subdomains.txt -o cnames.txt

This custom script (cname.sh) extracts CNAME records from the list of subdomains (subdomains.txt) and saves them to cnames.txt. CNAMEs can reveal where subdomains point and if a service is misconfigured.

#!/bin/bash

    # File containing subdomains
    input_file="subdomain.txt"

    # Output file for CNAME records
    output_file="cname_records.txt"

    # Clear the output file if it exists
    > $output_file

    # Loop through each subdomain in the input file
    while IFS= read -r subdomain; do
        # Use dig to get the CNAME record
        cname_record=$(dig +short CNAME $subdomain)
        
        # Check if a CNAME record exists
        if [ -n "$cname_record" ]; then
            echo "$subdomain = $cname_record" >> $output_file
            echo "$subdomain = $cname_record"
        else
            echo "$subdomain ->  ####" >> $output_file
        fi
    done < "$input_file"

    echo "CNAME records have been saved to $output_file"

Using HTTPX for CNAME Collection

httpx -l subdomains.txt -cname cnames.txt

Alternatively, HTTPX is a more versatile tool that probes subdomains for CNAMEs and outputs them to cnames.txt. HTTPX is often faster and provides additional functionality.

Step 5: Enumerating Live Subdomains

Now, it’s time to identify which subdomains are active. This can be done by probing for live HTTP/HTTPS services.

Probing for Live Subdomains

httpx -l subdomains.txt -p 80,443,8080,3000 -status-code -title -o servers_details.txt

HTTPX probes the list of subdomains (subdomains.txt) on ports 80, 443, 8080, and 3000, checking for HTTP/HTTPS services. It saves the response status codes and page titles to servers_details.txt for further analysis.

Probing and Listing Live Subdomains

cat all-subs.txt | httpx | tee -a live-subs.txt

This command uses HTTPX to probe all subdomains in all-subs.txt, saving the results to live-subs.txt. This list contains only the live subdomains that are actively serving content.

Step 6: Screenshotting Live Subdomains

To enhance manual analysis, it’s useful to capture screenshots of live subdomains.

Screenshotting with HTTPX

httpx -l live-subs.txt -screenshot -o output/screenshots

This command instructs HTTPX to take screenshots of all live subdomains listed in live-subs.txt and save them in the output/screenshots directory. This is especially helpful for visual identification of interesting targets.

Conclusion

By following this step-by-step guide, you’ll be able to systematically discover hidden subdomains, analyze them for vulnerabilities, and identify potential subdomain takeovers. Utilizing a combination of tools like Google Dorking, OWASP Amass, Gobuster, Subfinder, and HTTPX ensures comprehensive subdomain enumeration, increasing your chances of uncovering high-value targets in bug bounty programs

Thanks ! 🤗

My X.com

Bug Bounty
Bugs
Bug Bounty Tips
Hacking
Pentesting

--

--

enigma
enigma

Written by enigma

74 Followers
13 Following

Bug hunter | Expert in javascript | Command Line Ninja | Information Technology students

No responses yet

Help

Status

About

Careers

Press

Blog

Privacy

Terms

Text to speech

Teams