Passive Sources
What is passive subdomain enumeration?
Passive subdomain enumeration is a technique to query for passive DNS datasets provided by services like SecurityTrails, Censys, Shodan, BinaryEdge, VirusTotal, Whoisxmlapi, etc. to obtain the subdomains of a particular target. Here we don't send any active probes to our target, instead passively try to scrape information available from the internet.
There are in total around 90 passive DNS sources/services that provide such datasets to query them. It's difficult to manually query these third-party services thus, to ease this process various tools are developed which automate these processes.
It's highly recommended to read this section first, before proceeding further.
Passive DNS enumeration tools
Internet Archive
Github Scraping
GitLab Scraping
A) Passive DNS gathering tools
1) Amass
Language: Go
Total Passive Sources: 82
Amass is a Swiss army knife for subdomains enumeration that outperforms passive enumeration the best. Amass queries the most number of third-party services which results in more subdomains of a particular target. These are passive services that amass queries.
Since amass written in Go, you need your Go environment properly set up(Steps to setup Go environment)
Installation:
Setting up Amass config file:
Link to my amass config file for reference.
To make it possible for Amass to query the passive DNS datasets, it necessary for us to setup the API keys of those services in the Amass configuration file.
By default, amass config file is located at
$HOME/.config/amass/config.ini
To get to know to create API keys, check out this article.
Now let's set up our API keys in the
config.iniconfig file.Open the config file in a text editor and then uncomment the required lines and add your API keys.
Refer to my config file(this is exactly how your amass config file should be)
Running Amass:
After setting up API keys now we are good to run amass.
Flags:-
enum - Perform DNS enumeration
passive - passively collect information through the data sources mentioned in the config file.
config - Specify the location of your config file (default:
$HOME/.config/amass/config.ini)o - Output filename
2) Subfinder
Author: projectdiscovery
Language: Go
Total Passive Sources: 38
Subfinder is yet another great tool that one should have in their pipeline. There are some unique sources that subfinder queries for, that amass doesn't. This tool is been developed by the famous ProjectDiscovery team, who's tools are used by every other bugbounty hunter.
Installation:
Setting up Subfinder configuration file:
Subfinder's default config file location is at
$HOME/.config/subfinder/provider-config.yamlAfter your first installation, if you didn't find the configuration file populated by default run the following command again
subfinderin order to get it generated.The subfinder config file follows YAML(YAML Ain't Markup Language) syntax. So, you need to be careful that you don't break the syntax. It's better that you use a text editor and set up syntax highlighting.
Example config file:-
Link to my subfinder config file for reference.
Some passive sources like
Censys,PassiveTotaluse 2 keys in combination in order to authenticate a user. For such services, both values need to be mentioned with a colon(:) in between them. (Check how have I mentioned the "Censys" source values-APP-id:Secretin the below example )Subfinder automatically detects its config file only if at the default position.
Running Subfinder:
Flags:-
d - Specify our target domain
all - Use all passive sources (slow enumeration but more results)
config - Config file location
3) Assetfinder
Author: tomnomnom
Language: Go
Total passive sources: 9
Running:
4) Findomain
Author: Edu4rdSHL
Language: Rust
Total Passive sources: 21
Findomain is one of the standard subdomain finder tools in the industry. Another extremely fast enumeration tool. It also has a paid version that offers much more features like subdomain monitoring, resolution, less resource consumption.
Installation:-
Depending on your architecture download binary from here
Configuration:-
You need to define API keys in your
.bashrcor.zshrc.Findomain will pick up them automatically.
Running Findomain:
Flags:-
t - Target domain
u - Output file
B) Internet Archives
Internet Archives deploy their own web crawlers and indexing systems that crawl each website on the internet. Hence, they have historical data of all the websites that once existed. hence, Internet Archives can be a useful source to grab subdomains of a particular target that once existed and later perform permutations(more on this later) on them to get more valid subdomains.
Internet Archive when queried gives back URLs. Since we are only concerned with the subdomains, we need to process those URLs to grab only unique FQDN subdomains from them.
For this, we use a tool called unfurl. This tool helps to extract the domain name from a list of URLs.
5) Gau
Author: lc
Language: Go
Gau works by querying all the above 4 internet archive services and grabs all the URLs that their internet-wide crawler had once crawled. So through this process we get tons of URL's belonging to our target that once existed. After collecting the URLs we extract only the domain/subdomain part from those URLs.
Installation:
Running gauplus:
Flags:
threads - How many workers to spawn
subs - Include subdomains of the target domain
6) Waybackurls
Author: tomnomnom
Language: Go
Waybackurls works similar to Gau, but I have found that it returns some unique data that Gau couldn't find. Hence, we need to include waybackurls in our arsenal.
Installation:
Running Waybackurls:
C) GitHub Scraping
7) Github-subdomains
Author: gwen001
Language: Go
Organizations sometimes host their source code on GitHub, also employees working at these organizations sometimes leak the source code on GitHub. Additionally, I have came around instances where security researchers host their reconnaissance data in public repositories. The tool Github-subdomains can help you extract these exposed/leaked subdomains of your target from GitHub.
Installation:
For github-subdomains to scrap domains from GitHub you need to specify a list of GitHub access tokens.
Here is an article on how you can generate your GitHub access tokens.
These access tokens are used by the tool to perform searches and find subdomains on behalf of you.
I always prefer that you make at least 10 tokens from 3 different accounts(30 in total) to avoid rate limiting.
Specify 1 token per line.
Running github-subdomains:
Flags:
d - target
t - file containing tokens
o - output file
D) Rapid7 Project Sonar dataset(depreciated)
Project Sonar is a security research project by Rapid7 that conducts internet-wide scans. Rapid7 has been generous and made this data freely available to the public. Project Sonar contains 8 different datasets with a total size of over 66.6 TB which are updated on a regular basis. You can read here how you can parse these datasets on your own using this guide.
This internet-wide DNS dataset could be an excellent resource for us to grab our subdomains right? But querying such large datasets could take up significant time. That's when Crobat comes to the rescue.
8) Crobat
Author: Cgboal
Language: Go
Cgboal has done an excellent work of parsing and indexing the whole Rapid7 Sonar dataset into MongoDB and creating an API to query this database. This Crobat API is freely available at https://sonar.omnisint.io/.More over he developed a command-line tool that uses this API and returns the results at a blazing fast speed.
Installation:
Running:
Flags:
s - Target Name
Liked my work? Don't hesitate to buy me a coffee XDD
Last updated
Was this helpful?