قالب وردپرس درنا توس
Home / Tips and Tricks / How to discover hidden subdomains on any website with Subfinder «Null Byte :: WonderHowTo

How to discover hidden subdomains on any website with Subfinder «Null Byte :: WonderHowTo



When approaching a target, a precise and detailed plan of attack is imperative. One of the main goals is to increase the attack surface, because the more opportunities there are for exploitation, the greater the chances of success. Subdomain enumeration is one method of increasing the attack surface and we will use a tool called subfinder to discover hidden subdomains.

Overview of the subdomain enumeration

The enumeration of subdomains is an indispensable, often overlooked part of the education phase. It’s basically the process of finding subdomains for a specific domain or set of domains. This enumeration can often reveal many subdomains that are hidden or inaccessible to the public. Also, the likelihood of finding vulnerabilities in forgotten resources is generally much higher than in those that are more frequently used.

Things like admin panels, staging sites, and other internal resources are often found in subdomains of the target. The thought is if it̵

7;s not on the main page then it can’t be found – this couldn’t be further from the truth. As we will soon find out, it is trivial for attackers to uncover hidden subdomains, enlarge the attack surface and possibly find additional vulnerabilities or other important information.

There are a variety of methods that attackers can use to enumerate subdomains of a target. One method uses certificate trust protocols to obtain information about available subdomains. This can be a stealthy approach, but the downside is that sometimes it doesn’t return many results.

Another popular way to enumerate subdomains is through passive intelligence sources. Sublist3r used to be a tool for this kind of intelligence, but hasn’t evolved as much recently and has since fallen out of favor with many security guards.

Fortunately, Subfinder can fill that void. It is written in the Go programming language, is simple, light and optimized for speed. The code base is modular so you can easily contribute and build on it. The support of stdin and stdout ensures effortless workflow integration.

Install subfinder

In order to start with Subfinder, Go must be installed on our system. The easiest way to do this is through the package manager:

~# apt install golang

Next we can download the latest version from GitHub:

~# wget https://github.com/projectdiscovery/subfinder/releases/download/v2.4.5/subfinder_2.4.5_linux_amd64.tar.gz

--2020-09-28 14:20:28--  https://github.com/projectdiscovery/subfinder/releases/download/v2.4.5/subfinder_2.4.5_linux_amd64.tar.gz
Resolving github.com (github.com)... 140.82.112.4
Connecting to github.com (github.com)|140.82.112.4|:443... connected.
HTTP request sent, awaiting response... 302 Found
Location: https://github-production-release-asset-2e65be.s3.amazonaws.com/127519518/40182b80-ff6f-11ea-88c9-501330b47615?X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-Credential=AKIAIWNJYAX4CSVEH53A%2F20200928%2Fus-east-1%2Fs3%2Faws4_request&X-Amz-Date=20200928T192028Z&X-Amz-Expires=300&X-Amz-Signature=840414749207876b50c712ca386d8bfd3594a60419a4ff379684652065d9fc0a&X-Amz-SignedHeaders=host&actor_id=0&key_id=0&repo_id=127519518&response-content-disposition=attachment%3B%20filename%3Dsubfinder_2.4.5_linux_amd64.tar.gz&response-content-type=application%2Foctet-stream [following]
--2020-09-28 14:20:28--  https://github-production-release-asset-2e65be.s3.amazonaws.com/127519518/40182b80-ff6f-11ea-88c9-501330b47615?X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-Credential=AKIAIWNJYAX4CSVEH53A%2F20200928%2Fus-east-1%2Fs3%2Faws4_request&X-Amz-Date=20200928T192028Z&X-Amz-Expires=300&X-Amz-Signature=840414749207876b50c712ca386d8bfd3594a60419a4ff379684652065d9fc0a&X-Amz-SignedHeaders=host&actor_id=0&key_id=0&repo_id=127519518&response-content-disposition=attachment%3B%20filename%3Dsubfinder_2.4.5_linux_amd64.tar.gz&response-content-type=application%2Foctet-stream
Resolving github-production-release-asset-2e65be.s3.amazonaws.com (github-production-release-asset-2e65be.s3.amazonaws.com)... 52.216.26.20
Connecting to github-production-release-asset-2e65be.s3.amazonaws.com (github-production-release-asset-2e65be.s3.amazonaws.com)|52.216.26.20|:443... connected.
HTTP request sent, awaiting response... 200 OK
Length: 3892616 (3.7M) [application/octet-stream]
Saving to: ‘subfinder_2.4.5_linux_amd64.tar.gz’

subfinder_2.4.5_linux_amd64.tar.gz        100%[=====================================================================================>]   3.71M  6.80MB/s    in 0.5s

2020-09-28 14:20:29 (6.80 MB/s) - ‘subfinder_2.4.5_linux_amd64.tar.gz’ saved [3892616/3892616]

And extract it into our current working directory:

~# tar xzf subfinder_2.4.5_linux_amd64.tar.gz

Then we can move the binary to a directory in our path so we can run it from anywhere:

~# cp subfinder /usr/local/bin/

Now we can easily run Subfinder from anywhere on our system:

~# subfinder

        _     __ _         _
____  _| |__ / _(_)_ _  __| |___ _ _
(_-< || | '_   _| | ' / _  / -_) '_|
/__/_,_|_.__/_| |_|_||___,____|_| v2.4.5

                projectdiscovery.io

[WRN] Use with caution. You are responsible for your actions
[WRN] Developers assume no liability and are not responsible for any misuse or damage.
[WRN] By using subfinder, you also agree to the terms of the APIs used.

[INF] Configuration file saved to /root/.config/subfinder/config.yaml
[FTL] Program exiting: no input list provided

Use the -H Flag to show usage and help information:

~# subfinder -h

Usage of subfinder:
  -all
        Use all sources (slow) for enumeration
  -cd
        Upload results to the Chaos API (api-key required)
  -config string
        Configuration file for API Keys, etc (default "/root/.config/subfinder/config.yaml")
  -d string
        Domain to find subdomains for
  -dL string
        File containing list of domains to enumerate
  -exclude-sources string
        List of sources to exclude from enumeration
  -json
        Write output in JSON lines Format
  -ls
        List all available sources
  -max-time int
        Minutes to wait for enumeration results (default 10)
  -nC
        Don't Use colors in output
  -nW
        Remove Wildcard & Dead Subdomains from output
  -o string
        File to write output to (optional)
  -oD string
        Directory to write enumeration results to (optional)
  -oI
        Write output in Host,IP format
  -oJ
        Write output in JSON lines Format
  -r string
        Comma-separated list of resolvers to use
  -rL string
        Text file containing list of resolvers to use
  -recursive
        Use only recursive subdomain enumeration sources
  -silent
        Show only subdomains in output
  -sources string
        Comma separated list of sources to use
  -t int
        Number of concurrent goroutines for resolving (default 10)
  -timeout int
        Seconds to wait before timing out (default 30)
  -v    Show Verbose output
  -version
        Show version of subfinder

A useful feature of Subfinder is that API keys from a variety of services can be used for more thorough enumeration. The configuration file is created automatically the first time Subfinder is run and is usually located in the home directory:

~# nano ~/.config/subfinder/config.yaml

If you scroll down there is a section where API keys can be entered:

binaryedge: example-api-key-goes-here-1a2b3c4d
censys: []
certspotter: []
chaos: []
dnsdb: []
github: []
intelx: []
passivetotal: []
recon: []
robtex: []
securitytrails: []
shodan: []
spyse: []
threatbook: []
urlscan: []
virustotal: []
zoomeye: []
subfinder-version: ""

After everything is configured, let's list some subdomains.

Find subdomains with subfinder

The easiest way to use Subfinder is to give it a domain to enumerate - use the -d Flag to:

~# subfinder -d wonderhowto.com

        _     __ _         _
____  _| |__ / _(_)_ _  __| |___ _ _
(_-< || | '_   _| | ' / _  / -_) '_|
/__/_,_|_.__/_| |_|_||___,____|_| v2.4.5

                projectdiscovery.io

[WRN] Use with caution. You are responsible for your actions
[WRN] Developers assume no liability and are not responsible for any misuse or damage.
[WRN] By using subfinder, you also agree to the terms of the APIs used.

[INF] Enumerating subdomains for wonderhowto.com
piano.wonderhowto.com
hobbies-toys.wonderhowto.com
actionscript.wonderhowto.com
potato-gun.wonderhowto.com
techhutus.wonderhowto.com
wealth.wonderhowto.com
oldrepublic.wonderhowto.com

...

zines.wonderhowto.com
pilates.wonderhowto.com
lifestylewebtv.wonderhowto.com
canning.wonderhowto.com
magic-the-gathering.wonderhowto.com
ls1www.wonderhowto.com
[INF] Found 1018 subdomains for wonderhowto.com in 5 seconds 901 milliseconds

You can see how fast this is by discovering just over a thousand subdomains in five seconds. To add detail and to list the source of the enumeration, we can add that -v Flag:

~# subfinder -d wonderhowto.com -v

        _     __ _         _
____  _| |__ / _(_)_ _  __| |___ _ _
(_-< || | '_   _| | ' / _  / -_) '_|
/__/_,_|_.__/_| |_|_||___,____|_| v2.4.5

                projectdiscovery.io

[WRN] Use with caution. You are responsible for your actions
[WRN] Developers assume no liability and are not responsible for any misuse or damage.
[WRN] By using subfinder, you also agree to the terms of the APIs used.

[INF] Enumerating subdomains for wonderhowto.com
[hackertarget] djbyron200.wonderhowto.com
[hackertarget] rat-pack-election-10.wonderhowto.com
[hackertarget] xbox-360.wonderhowto.com
[hackertarget] wizard101.wonderhowto.com
[hackertarget] fifa-11.wonderhowto.com
[hackertarget] tech911.wonderhowto.com

...

Sometimes being able to hide everything but the results is also useful - this can be especially useful for scripting and automation. Just use the -Quietly Flag to output only found subdomains:

~# subfinder -d wonderhowto.com -silent

embird.wonderhowto.com
php.wonderhowto.com
adobe-fireworks.wonderhowto.com
medical-diagonosis.wonderhowto.com
paralympic.wonderhowto.com
lifeschool.wonderhowto.com

...

We can also save the results to an output file for later use with the -The Flag:

~# subfinder -d wonderhowto.com -o results.txt

        _     __ _         _
____  _| |__ / _(_)_ _  __| |___ _ _
(_-< || | '_   _| | ' / _  / -_) '_|
/__/_,_|_.__/_| |_|_||___,____|_| v2.4.5

                projectdiscovery.io

[WRN] Use with caution. You are responsible for your actions
[WRN] Developers assume no liability and are not responsible for any misuse or damage.
[WRN] By using subfinder, you also agree to the terms of the APIs used.

[INF] Enumerating subdomains for wonderhowto.com
ceramics.wonderhowto.com
motocross.wonderhowto.com
cricket.wonderhowto.com
3ds-max.wonderhowto.com

...

Subfinder can also use a list of domains for enumeration. Use the -dL Flag followed by the list of domains:

~# subfinder -dL subs.txt

        _     __ _         _
____  _| |__ / _(_)_ _  __| |___ _ _
(_-< || | '_   _| | ' / _  / -_) '_|
/__/_,_|_.__/_| |_|_||___,____|_| v2.4.5

                projectdiscovery.io

[WRN] Use with caution. You are responsible for your actions
[WRN] Developers assume no liability and are not responsible for any misuse or damage.
[WRN] By using subfinder, you also agree to the terms of the APIs used.

[INF] Enumerating subdomains for wonderhowto.com
australia.wonderhowto.com
bridge.wonderhowto.com
scavenger-hunt.wonderhowto.com

...

Alternatively we can forward the list as input to Subfinder:

~# cat subs.txt | subfinder

        _     __ _         _
____  _| |__ / _(_)_ _  __| |___ _ _
(_-< || | '_   _| | ' / _  / -_) '_|
/__/_,_|_.__/_| |_|_||___,____|_| v2.4.5

                projectdiscovery.io

[WRN] Use with caution. You are responsible for your actions
[WRN] Developers assume no liability and are not responsible for any misuse or damage.
[WRN] By using subfinder, you also agree to the terms of the APIs used.

[INF] Enumerating subdomains for wonderhowto.com
ediblesinjars.wonderhowto.com
www.googleplus.wonderhowto.com

...

By default, Subfinder only uses some of the sources to discover hidden subdomains. Speed ​​is chosen instead of thoroughness. However, we can allow the tool to use all sources with the -all Possibility:

~# subfinder -d wonderhowto.com -all

        _     __ _         _
____  _| |__ / _(_)_ _  __| |___ _ _
(_-< || | '_   _| | ' / _  / -_) '_|
/__/_,_|_.__/_| |_|_||___,____|_| v2.4.5

                projectdiscovery.io

[WRN] Use with caution. You are responsible for your actions
[WRN] Developers assume no liability and are not responsible for any misuse or damage.
[WRN] By using subfinder, you also agree to the terms of the APIs used.

[INF] Enumerating subdomains for wonderhowto.com
canon5d.wonderhowto.com
teaching.wonderhowto.com
sailing.wonderhowto.com

...

odd.wonderhowto.com
oneplus.wonderhowto.com
fw3.www.wonderhowto.com
[INF] Found 1040 subdomains for wonderhowto.com in 1 minute 400 milliseconds

As you can see, it takes a little longer, but it returned a little more results. Use the button to conveniently view all the sources used by this tool -ls Flag:

~# subfinder -ls

        _     __ _         _
____  _| |__ / _(_)_ _  __| |___ _ _
(_-< || | '_   _| | ' / _  / -_) '_|
/__/_,_|_.__/_| |_|_||___,____|_| v2.4.5

                projectdiscovery.io

[WRN] Use with caution. You are responsible for your actions
[WRN] Developers assume no liability and are not responsible for any misuse or damage.
[WRN] By using subfinder, you also agree to the terms of the APIs used.

[INF] Current list of available sources. [35]
[INF] Sources marked with an * needs key or token in order to work.
[INF] You can modify /root/.config/subfinder/config.yaml to configure your keys / tokens.

alienvault
anubis
archiveis
binaryedge *
bufferover
cebaidu
censys
certspotter *
certspotterold
chaos *
commoncrawl
crtsh
dnsdumpster
dnsdb *
github *
hackertarget
ipv4info
intelx
passivetotal
rapiddns
riddler
recon *
robtex *
securitytrails *
shodan *
sitedossier
spyse *
sublist3r
threatbook *
threatcrowd
threatminer
virustotal *
waybackarchive
ximcx
zoomeye

As can be seen from the information on the screen, sources marked with an asterisk require an API key or token to function properly. To select which sources to use during a scan, click -Sources Switch can be used:

~# subfinder -d wonderhowto.com -v -sources alienvault,censys,zoomeye

        _     __ _         _
____  _| |__ / _(_)_ _  __| |___ _ _
(_-< || | '_   _| | ' / _  / -_) '_|
/__/_,_|_.__/_| |_|_||___,____|_| v2.4.5

                projectdiscovery.io

[WRN] Use with caution. You are responsible for your actions
[WRN] Developers assume no liability and are not responsible for any misuse or damage.
[WRN] By using subfinder, you also agree to the terms of the APIs used.

[INF] Enumerating subdomains for wonderhowto.com
[alienvault] i.wonderhowto.com
[alienvault] img.wonderhowto.com
[alienvault] about-technology.wonderhowto.com
[alienvault] computer-pranks.wonderhowto.com

...

Wrap up

In this tutorial, we learned something about the enumeration of subdomains and how it can be useful for penetration testers and hackers to increase the total attack surface. First we installed Subfinder and configured it on our system. We then went through some of the options this tool offers, including listing multiple domains, customizing the results, and using API keys to improve intelligence. Pretty easy right?

Would you like to make money as a hacker with a white hat? Start your white hat hacking career with our 2020 Premium Ethical Hacking Certification Training Bundle from the new Null Byte Shop and receive over 60 hours of training from ethical hacking professionals.

Buy now (90% discount)>

Cover photo by Mauricio Mascaro / Pexels

Source link