Find Subdomains Like a Pro!
文章介绍了多种隐藏子域名枚举的方法,包括使用在线工具(如Shodan、Censys、crt.sh和Google搜索)、brute-force工具(如Gobuster、dnscan、Subfinder等)以及反向DNS查找技术。这些方法有助于发现潜在的安全漏洞,在安全研究和漏洞挖掘中具有重要作用。 2025-5-19 19:47:44 Author: infosecwriteups.com(查看原文) 阅读量:11 收藏

Hack-Bat

In this blog, I’ll share various methods to uncover hidden subdomains of a website. Subdomain enumeration is a crucial part of reconnaissance, and mastering it can lead to finding hidden vulnerabilities. Let’s dive in!!

Subdomain enumeration falls under active reconnaissance and plays a key role in security research. Hidden subdomains often host outdated or misconfigured services, making them prime targets for exploitation. Finding these can give you a strategic edge in ethical hacking and bug bounty hunting.

Some online tools make subdomain hunting super easy:

These powerful search engines can help you find subdomains linked to a target.

Shodan Command:

hostname:"*.example.com"

Censys Command:

subdomains example.com

Check crt.sh for subdomains associated with SSL/TLS certificates:

Query URL:

https://crt.sh/?q=%25.example.com

Use Google search to find hidden subdomains:

  1. Use the below goole dorking command for searching the subdomain
site:*.example.com

2. Remove the known subdomains to faster the search by using -<domain> with the above dork. For example if the domain is www.example.com we can filter out that specific subdomain with the following dork,

site:*.example.com -www -mail -service

The above dork removes common subdomains like www, mail, and service, helping you uncover lesser-known ones. You can refine your search further using -<domain> filters!

When online resources don’t cut it, brute-forcing comes in handy. Grab a subdomain wordlist and start brute-forcing!

Gobuster:

gobuster dns -d example.com -t 30 -w subdomain_wordlist.txt -o output.txt

dnscan:

git clone https://github.com/rbsec/dnscan.git  
cd dnscan  
python3 dnscan.py -d example.com -w subdomain_wordlist.txt -R 8.8.8.8

Other Tools:

Subfinder, Amass, Knockpy, and MassDNS.

🔗 Get Wordlists: Assetnote Wordlists

This technique helps uncover subdomains by identifying associated IP addresses and performing reverse DNS for that IP.

1. Find the IP of the main domain.
2. Get its subnet mask.
3. Generate a range of IPs within the subnet.
4. Perform a reverse lookup to find associated domain names.

Command:

sudo apt install prips 
prips 192.168.1.0/24 > ip.txt
while read ip; do nslookup "$ip"; done < ip.txt | grep "<domain>"for ip in $(seq 1 254); do host 192.168.1.$ip | grep "example.com"; done > domain.txt

Subdomain enumeration is a game-changer in security research. Whether you’re using online tools, brute-force methods, or reverse DNS lookups, the goal is to uncover the unseen.

https://www.linkedin.com/in/dharineesh-j/


文章来源: https://infosecwriteups.com/find-subdomains-like-a-pro-df2c169ce153?source=rss----7b722bfd1b8d--bug_bounty
如有侵权请联系:admin#unsafe.sh