I. Introduction
Most if not all domains operate subdomains as a way of facilitating their operations and improving users’ experience on their sites, especially when their activity expands. Therefore, a subdomain is a separate domain that is a part of the main domain (or another domain). Usually, it is a prefix added to a domain name to separate a section of the main website. The creation and registration of a subdomain may become necessary when a website section expanses in a way that affects users’ experience and host performance. Subdomains enable website owners to properly manage the hierarchical contents of extensive sections of their activities, especially when it comes to ecommerce, mobile platform services, localized services, support services and so on. Knowing all the subdomains of a given domain is important because threats susceptible to affect the normal operations of the main domain may be hidden in a subdomain. It is largely for this reason that the subdomains of the main domain are enumerated. In this brief report I will discussed about subdomain enumeration and its importance. I will also consider some tools used for the enumeration of subdomains.
II. Subdomain Enumeration Defined
Subdomain enumeration can be defined as the process of listing or identifying all subdomains for a given domain. In order words, it is the practice of finding subdomains for one or more domains. Enumerating the subdomains of a domain is a useful practice in the sense that it identifies potential targets for an eventual attack. It could as well just be for organizational purposes. Subdomain enumeration could be performed passively or actively using both manual and automated tools respectively.
III.Importance of Subdomain Enumeration
The enumeration of subdomains of a given domain is important for several reasons. Some of the reasons are:
a) Identification of potential targets for an attack: Through the enumeration of all subdomains one may be able to identify or find subdomains vulnerable to attack than the root domain or the target organization. From an attacker mentality, subdomain enumeration may be used to find (potential) vulnerabilities. A vulnerable subdomain could just be the channel through which an attacker could get to the root organization. Subdomain enumeration helps broaden the attack surface as well.
b) Gaining insights into the organization: Subdomains can reveal how an organization is structured, the services it offers, its size, and so on. Knowing the purpose of each subdomain, could be helpful to the organization given that potential weak points that constitute a security challenge could be identified and addressed. This information may be helpful when planning footprinting or security assessment.
c( Finding misconfigured DNS entries: In some situations, the targets may display misconfigured DNS entries that reveal some sensitive information, like the internal IP addresses. Also, it is possible to find applications running on hidden applications and/or forgotten subdomains, which may lead to the discovering of critical vulnerabilities. For example, the famous Yahoo!Voices hack in 2014 occurred due to a vulnerable application deployed on a yahoo.com subdomain.
IV.Performing Subdomain Enumeration
To perform subdomain enumeration a list of domains is required. Enumeration starts by trying to find hostnames that resolve to IP addresses. By querying public DNS servers or consulting the WHOIS Database, subdomains of the host maybe enumerated. However, there exists a more robust approach to performing subdomain enumeration, which consists of using active and passive tools.
1.Passive subdomain enumeration and tools
Passive subdomain enumeration is possible only with publicly available data. Here, use is made of search engine results. Additionally, querying DNS records on DNS servers is another channel to follow. Usually, the data is collected automatically without direct interaction with the targeted domain. Several passive DNS enumeration tools or techniques are used to find subdomains, but only a few are discussed here, namely;
a) Google dorking
This is a powerful technique that is used to gather information not usually intended for public consumption. It reinforces the power of Google search engine to find critical information such as login pages, un-indexed directories, website vulnerabilities, and more. Subdomain
Enumeration is one of the several benefits of Google dorking. Google dorking enumerates subdomain by searching for the “site: “operator in Google, followed by the targeted domain.
For example, “site:fitness.com” will return a list of all websites that are hosted on example.com domain.
b)Certificate Transparency (CT)
This is an internet security open-source framework and internet standard for monitoring and auditing digital certificates issued by a Certificate Authority (CA). It is an initiative created by Google to improve the security of SSL/TLS certificates by making them publicly available. CT makes it easier for organizations and users to detect fraudulent SSL/TLS certificates by providing a publicly accessible log of all issued certificates. This means that any SSL/TLS certificate issued by a Certificate Authority (CA) participating in CT will be logged to one or more public Certificate Transparency Logs (CTLs). The logs could be query by anyone and are usually used to enumerate subdomains of a targeted domain. Finding subdomains through CT requires the use of a publicly available CT log explorers such as crt.sh or other CT log explorers. To get the list of subdomains for a given domain, it suffices to enter domain name into the search box and the tool will return all subdomains of the targeted domain that have been logged to the CT logs. Censys.io is also a CT log search engine.
c)DNS Aggregators
These are free online services that allow for the checking of multiple DNS servers at once to ascertain the correctness of their configuration. By so doing, it is possible to fine a large number of subdomains in record time. A popular DNS aggregator is snipr.com/subdomain_finder/. To use this DNS aggregator, enter the targeted domain into the search box and click on the “Find subdomain” button to get the lists of all subdomain. In order to get more robust results, it is necessary to try different DNS aggregators like VirusTotal Passive DNS replication5, DNSDumpster, Netcraft, and so on.
d)ASN Enumeration
Autonomous System Number (ASN) enumeration is a process that allows for the identification of all organizations that are using a specific IP address. The specific IP address is gotten by querying the organization’s Autonomous System (AS) from a publicly available database like RIPE (Registry for Internet Protocol Europe) Database or ARIN Registry. Once all the organizations using an ASN are identified, it is possible to further the investigation by querying the nameservers of the organizations. This action may reveal any subdomains they could be hosting.
e)Subject Alternate Name (SAN)
As an extension to SSL/TLS certificate, Subject Alternate Name (SAN) allows for multiple domain names to be associated with a single certificate. The SAN could be used to enumerate subdomains given that each SAN basically represents a different subdomain. Tools like SSLMate’s Certificate Inspector or Google Chrome’s developer tools could be used to find the SAN for each certificate. To do this, enter the domain name into the tool and search. It will return a list of all SANs associated with the certificate.
2. Active Subdomain Enumeration and Tools
Active subdomain enumeration refers the method of identifying the subdomains of a targeted domain by directly interacting with it. This is achieved by sending web requests and/or DNS queries to the targeted domain. The data collected is manually analyzed to get revelations of any hidden subdomains. Even though active subdomain enumeration is time consuming, it is reputed of yielding accurate and up-to-date results. Several methods could be used to perform active subdomain enumeration such as brute force, zone transfer, DNS record, content security policy (CSP) header, and so on.
a) Brute force enumeration
This is a method of enumerating subdomains by connecting directly to the targeted domain. This can be done manually or with automated tools. This can be done using a web browser or other tool. Some of the automated tools used to brute force a domain are indicated below.
b)Zone Transfer
Zone transfer refers to information about existing name servers and domains for a given domain. All existing subdomains of the domain can be identified in this way. With DNS zone transfer one can replicate DNS database across DNS servers.
c)Content Security Policy (CSP) Header
The CSP header is a security measure that is used to restrict sources from which a browser can load content. This may include but not limited to JavaScript files, CSS and HTML. The presence of CSP header on a website usually makes it possible to enumerate subdomains by trying to load resources from those domains. In this way, subdomains that are accessible can easily be identified. By using Google Chrome’s Developer Tools or Firefox’s Developer Tools one can check for the presence of the CPS header.
V.Additional Subdomain Enumeration tools
The above methods constitute some of the most common ways though which subdomains are enumerated. However, there exist other techniques and tools to enumerate subdomains which are considered below. It is important to note that new methods continue to emerge as attackers’ activities become more sophisticated. Therefore, the best way to conduct subdomain enumeration and obtain robust results would be to combine multiple methods and tools. Some additional tools for this purpose are:
a)Amass: This is one of OWASP best known subdomain enumeration tools: It is freely available and specifically designed to identify subdomains and their relationships. This tool uses a variety of techniques such as search engine harvesting, DNS enumeration, brute force attack, and more.
b)SubBrute: Even though this tool is relatively older, nevertheless, it remains a powerful and useful tool for enumerating subdomains. It performs dictionary based brute force attacks in order to find the most effective combinations of words for each query. Additionally, it poses features that allows for the customization of queries to response to specific needs or requirements.
c)DNSrecon: This is an embedded Kali Linux pentesting tool that can be used for manual or automated discovery of subdomains. It is freely available and displays advanced features and options that allow for the customization of queries and the search for subdomains in several different ways.
d)Sublistr3r: It is popular and free. It can be used for manual and automated subdomain enumeration. To find subdomains for a given domain, the tool uses a variety of search engines notably; Google, Bing, Yahoo, and more. Furthermore, it poses the ability to perform brute force attacks with a user-specified list of words.
e)Massdns: this is a high performance DNS resolver designed particularly for mass DNS enumeration. It can be used to resolve large number of domains or subdomains in record time. It is also very useful in brute forcing attacks.
f)Subfinder: This tool just like the previous is used for subdomain enumeration and brute forcing attacks. It uses passive sources such as search engines, crt.sh, Netcraft, and more to find subdomains.
g)Knockpy: This tool can be used for both manual and automated subdomain enumeration. It employs the technique of brute force attack, permutation-, and more to enumerate subdomains. It is endowed with features that allow it to integrate with the Amass tool for more robust and comprehensive results.
h)SubDomainizer: It is a simple and effective subdomain enumeration tool. Subdomainizer uses the Google search engine to find subdomains.
i)GoBuster: this is a command line tool that is used for performing directory and file enumeration on web applications. This tool is capable of discovering hidden files, directories, and other resources that cannot be seen directly on the website’s public-facing pages. Gobuster uses a wordlist to brute force the URLs and directories of a website as well as perform subdomain enumeration. The strong merits of Gobuster are its speed and versatility as well as its ability to run on multiple threads. Also, it can be used with a large Wordlist and in conjunction with other tools like NMAP, Burp Suite, and more.
j)Altdns:This is a DNS reconnaissance tool that enables the discovery of subdomains that conforms to patterns. Basically, this tool takes in words that could be present under a domain e,g test, dev and staging as well as list of known subdomains. From these lists given as input, the tool then generates a massive output of altered or mutated subdomains likely to be present. The output is saved and could be used by any brute forcing tool.
k) Sub 404: This is a powerful tool developed by Python to test for the probability of subdomain takeover. It is fast and uses subdomains list from text file. It also checks for url of 404 Not found and for CNAME.
l)Assetfinder: This tool enumerates domains and subdomains potentially related to the any given domain. It is a Kali Linus tool. After the enumeration is completed, each sub domain is manually checked for the canonical name record in order to ascertain its vulnerability to takeover attack.
There exist several other tools that can be used for subdomain enumeration. Therefore, the list here is not exhaustive. There is no single best tool to use when it comes to subdomain enumeration given that each tool has its merits and demerits.. To get the one tool that satisfies a user needs would require one to experiment with several of the tools to see which one works best for a given task. However, combining multiple techniques and tools is likely to produce robust and comprehensive results. Irrespective of the techniques or tools used, it is recommended that subdomain enumeration be conducted with care and in a methodical manner. Failure to follow this path may lead to false positives, missed opportunities, and other problems that may compromise the overall security investigation. However, by taking time to effectively use the methods and tools indicted above, the user can help enhance the organization’s security apparatus.
VI. Knowledge Gained
A study of subdomain enumeration vulnerability has reinforced my ability to understand what this cyber security weakness is all about, especially how it is manifested and how it can be detected. Knowing why subdomain enumeration is performed has enhances my aptitude to understand the protective mechanism to propose to an organization when it comes to the sanitization of subdomains. Subdomain enumeration bug is just one of the several types of weaknesses that can impair the cyber security of an organization, knowledge of its manifestation and prevention is an addition to my overall understanding of the subject of cyber security.
References
