The crucial phase of attacking an application is in reconnaissance or information gathering. The more info we have at hand the more are the chances of getting successful with attacks or exploits. The one useful technique that possibly increases the scope of target is in discovering sub domains part of the target. In this article we are going to look at some of the quick techniques & services that are available. All content published on this site is for educational purposes only.
We are not going to look at this but thought it would be useful to mention, there are even some free services online that scan the targets & report if there is a sub domain misconfiguration & possible take over.
Google Dorks : Google supports the use of various search operations, which allow end users to narrow down and pinpoint search results. For instance, the search operator will limit google to return results on a specific domain.
site:abc.com – will return all root domain(in this case abc) references available in search cache results
site:abc.com -site:www.abc.com – will return all sub domain part of abc domain available in google search results.
Virus total & Netcraft : These are free online services capable of various useful features, one of them is listing sub domains part of a domain. I prefer to use Virustotal which produces a nice list alongside other services / tools.
DNS zone transfer : This is a process of transferring or copying a zone file from one DNS server to another DNS server. Every domain has its own DNS and mail servers. The zone files contains a list of DNS names configured for that zone & are usually transferable between the master & slave DNS servers.If DNS servers are misconfigured then it may be possible for an external user to attempt & grab the zone file which contains full network layout leaking all subdomains & their IP addresses
Automated tools : There are a set of automated tools that either use brute forcing or automated techniques to discover subdomains. Some examples of the tools are subbrute , Gobuster, Nmap etc.,