When doing bug bounties and you come across a really broad one one like *.example.com, the bug bounty hunter has to spend some quality time finding all the subdomains and endpoints. Only then can they start the real bug hunting. In this post I will cover what i have learned about doing subdomain enumeration for bug bounties.
Bug Bounties and Finding subdomains is one of the first reconnaissance steps required before you get stuck into the bug hunting. Bug Bounty and Hacking Gurus such as Jason Haddix, STOK, John Hammond and others all have there own approach. Here I will cover of the tools and some automation Frameworks so you can keep a close watch for some new sub domains. New Sub Domains = new places to find bounties ($$).
What is a Sub Domain?
Subdomains are a prefix added to your Domain name. For example if your domain is called target.com then the subdomain mail.target.com takes “target.com” and adds “mail.” in front of it to create a new Sub Domain. Sub Domains can take you to completely different apps within the Organisation. For example email, LDAP, SMB, Company Portals, etc.
Below you will find some examples of subdomains.
Do Bug Bounty hunters care about Sub Domains?
For sure they care, because the organisation will probably have different services running on each domain. For example, on could be a web server and one could be a mail server or ldap server, etc. And each one of these is a potential bug bounty haven. They can also indicate other juicy targets such as development, test and Production environments.
In order to proceed we need a few things.
- A modern Linux distribution, such as Ubuntu, Fedora, Kali, BackArch, etc.
- Some packages installed.
- Some Targets
It makes total sense to run any type of Enumeration from a VPS provider. This is to save your ISP getting angry with you, or your IP getting banned. You do this a few times from your own ISP and it wont be long before you have to do a Captcha for every site you go to.
Passive Vs Active Recon
“Recon” is a US military term and short for reconnaissance. Which means to find information about the enemy. There are two approaches to this, Active and Passive. Lets take a brief look at each approach.
This is where you directly engage with the Target to Gather information. When the active approach is taken, then for sure your recon is going to start appearing into the Targets security log files.
Passive is a hands off approach. This is where you gather information without actually touching the targets infrastructure. With the Passive approach nothing of what you do will appear on the Targets security log files.
Tools for Sub Domain Enumeration
There are many tools for Sub Domain Enumeration. Below I will outline the most common, the type and if its Passive or Active.
|gau||Software||getallurls (gau) fetches known URLs from AlienVault’s Open Threat Exchange, the Wayback Machine, Common Crawl, and URLScan for any given domain.||Passive|
|subfinder||Software||Subfinder is a subdomain discovery tool that discovers valid subdomains for websites by using passive online sources.||Passive|
|amass||Software||The OWASP Amass Project performs network mapping of attack surfaces and external asset discovery||Active/Passive|
|knock||Software||Knockpy is a python3 tool designed to quickly enumerate subdomains on a target domain through dictionary attack.||Active|
|shodan.io||Search Engine||Shodan gathers information about all devices directly connected to the Internet.||Passive|
|app.netlas.io||Search Engine||app.netlas.io gathers information about all devices directly connected to the Internet.||Passive|
|https://bgp.he.net/||Search Engine||Search Through ASNs for domain information.||Passive|
|finddomain||Online tool||Paid for Solution that tracks all sub domains on your behalf.||Passive|
|gobuster||Software||Gobuster is a tool used to brute-force: Open S3 Buckets, URLs and DNS Virtual host names||Active|
|wfuzz||Software||Web Fuzzer that can also do sub domain fuzzing||Passive|
Frameworks for Sub Domain Enumeration
Instead of using all the tools one by one some good people have created frameworks that allow for greater automation. Lets take a look at two of them.
Recon for the Win (ReconFTW), automates the entire process of reconnaissance for you. It the work of subdomain enumeration along with various vulnerability checks and obtaining maximum information about your target. It can do both Active and Passive Recon.
To run a passive scan
./reconftw.sh -d target.com -p
To run a Active scan
./reconftw.sh -d target.com -r
There is also the option to run a sub domain, only, enumeration. This can be run by using the -s option.
./reconftw.sh -d target.com -r
You can find the full list of tools run in each scan type over at the github wiki page.
Axiom is a dynamic infrastructure framework which allows one to spin up many VPS systems and spread work load over them. You can run many of the above sub domain enumeration commands via Axiom.
I hope you got some value from this blog post. If I missed any thing you think should be here, send me a message over on twitter.