What's the need ?πŸ€”

What is subdomain enumeration?

It is one of the most crucial parts of the reconnaissance phase while performing a security assessment. Subdomain Enumeration is a process of finding sub-domains of one or more root domains. According to RFC 1034, "a domain is a subdomain of another domain if it is contained within that domain".

What's the need?

  • Performing subdomain enumeration via various intensive techniques can help enlarge your attack surface as you get more assets to find vulnerabilities on.
  • A good subdomain enumeration will help you find those hidden/untouched subdomains, where your competition to find bugs will also be less. Hence lesser duplicates.
  • Finding applications running on hidden, forgotten(by the organization) sub-domains may lead to uncovering critical vulnerabilities.
  • Discovering such strangely named subdomains is a critical skill, each bug hunter should possess in today's time.
  • For large organizations, to find what services have they exposed to the internet.
    ​
More the subdomains = More assets to look for vulnerabilities
🐞

​
⚠
Common Misconception about "subdomain"

A Fully Qualified Domain Name (FQDN) is the complete domain name for a specific computer, or host, on the internet.
An FQDN looks like this:-
myhost.example.com. ----> Fully Qualified Domain Name
myhost ----> is the host located within domain example.com (subdomain)
The above-mentioned cannot be called as subdomains. They are links to web applications hosted on ports 80 & 443 of their respective hosts. Most people have a misconception that these are subdomains of a particular target.
Let's consider an example, admin.example.com is a subdomain on which there may not exist any web-service hosted on port 80 & 443. This means, when we send admin.example.com to httpx/httprobe (tools that check whether any web app running on port 80/443), it will not return any output.
This doesn't mean that admin.example.com is not a valid subdomain of root domain example.comThere may be web services hosted on them but not on the default ports(80/443). Also, there may be some other vulnerable services running on the subdomain whose exploits are publicly available. So in such a case, it's always better that you DNS resolve the subdomain rather than directly web probing them.

Moral of the story:

The methodology of collecting subdomains from tools like amass, subfinder, findomain and directly sending them to httpx/httprobe is absolutely wrong
❌
. Instead, you should first DNS resolve them using tools like puredns or shuffledns.
​
​