Welcome to webs3c, today let’s discuss subdomain enumeration methodology.
In general, we do 3 step DNS enumeration for subdomains
Through these processes, different hunters use different tools, wordlist, and methodologies. The reason I created this topic is to know how you do subdomain enumeration and if we can improve our methodology together!
- Do you perform all passive, active & permuted enumeration
- Which tools do you use for each process
- Which wordlist you use is it public or your own custom wordlist
- Do you monitor for new subdomains
- How much time do you spend in general on subdomain enumeration
Let’s start with mine, I do all passive, active & permuted enumeration
for passive enumeration, I use Assetfinder, Subfinder, Amass, Findomain
for active enumeration, I use Puredns & Dmut for permuted enumeration
and FFUF for fuzzing over interesting pattern
generally, I use all.txt, I tried to build target-specific wordlist and subdomain monitoring but ended up getting too many junks. currently experimenting with this effective custom wordlist and subdomain monitoring process
I spend a good amount of time over DNS enumeration. I recheck all valid subdomains if I can approach for 3rd or 4th level subdomains.
example: if I have demo-stag.sub.site.com I try to fuzz at the demo with other similar words FUZZ-stag.sub.site.com may lead admin-stag.sub.site.com
to be honest it’s so hard to manually look over subdomains for an interesting pattern. but I found many vulns by just playing with the names!