What is Subdomain Enumeration?

Subdomain enumeration is a process carried out during external href="https://www.dsecured.com/en/cyber-security-glossary/red-teaming">Red Teaming, specifically in the reconnaissance phase. Here, the attacker tries to learn as much as possible about a company's attack surface. This includes domains and subdomains - the attacker enumerates a company's subdomains using various methods. This can be done through search engines, DNS queries, certificates, websites, etc. Finding all relevant subdomains seems quite trivial but is actually a relatively complex process and requires considerable experience and knowledge. The found

What is a Subdomain?

"dsecured.com" is the domain. "www" would be the subdomain - so "www.dsecured.com". Something like "jira.backup-1.us-east-1.tesla.com" is also a valid subdomain - this also reveals quite a bit about the structure of an infrastructure. In this specific case, this subdomain probably hosts a Jira instance. This is likely some kind of (first) backup instance in the Amazon AWS region "us-east-1". The domain "tesla.com" is the root domain.

What is passive subdomain enumeration?

Passive methods of subdomain enumeration are methods where you don't directly address the target's infrastructure. Publicly accessible information and databases are used to find subdomains of a target domain. APIs, such as Censys, SecurityTrails, or RecordedFuture, are also very good sources for subdomains. Certificate Transparency Logs are also a source that can be used. Less well-known, because difficult to automate, are search engines of all kinds, starting with Google and Bing, up to specialized search engines like Shodan or Github.

What is active subdomain enumeration?

Active methods of subdomain enumeration are the opposite of passive methods. Here, you send data packets to the target to find out if it's a valid subdomain. Wordlists, like those from seclists, are used as part of Brute Forcing. Tools like massdns allow for quick resolution of hundreds of thousands of subdomains.

Active methods like HTTP responses or DNS data

Another source for subdomains is very active - fuzzing files and folders, especially Javascript often offers hostnames that you wouldn't find otherwise. The same applies to analyzing HTTP headers, CNAME, and NS entries - these data often hide additional subdomains.

Permutations and Alterations

Alterations are another active method - here, known subdomains are modified and then resolved to see if they might exist. This is a very time-consuming method but often yields very good results - especially for subdomains that don't have SSL certificates and thus often stay under the radar of passive methods. As an example, you could take the domain "jira1.domain.com" - during the alteration process, it could be checked whether "jira2.domain.com" or "jira3.domain.com" exist.

Tools and Sources for Subdomains

Below you'll find a list of known tools and sources for subdomains.

How to handle wildcard domains?

An essential part of subdomain enumeration is dealing with wildcard domains. These bring their own problems because virtually every subdomain gets resolved. To "shed light on this", you need to switch to active methods and send HTTP requests to the subdomains. Then you can decide based on the response whether the subdomain is relevant (or unique). What sounds trivial is anything but simple.

Who offers professional subdomain enumeration?

Professional subdomain enumeration is offered by us and is part of OSINT and our href="https://www.dsecured.com/en/argos-security-platform">Argos Security Platform. This is an External Attack Surface Management that naturally searches for new subdomains on the internet every day and actively looks for new subdomains. The results are then presented in a clear web interface and can also be integrated into other tools.