Web Attack Surface

Summary

• Enumerate Subdomains
  • Subdomains Databases
  • Bruteforce Subdomains
  • Certificate Transparency Logs
  • DNS Resolution
  • Technology Discovery
• Subdomain Takeover
• References

Enumerate Subdomains

Subdomain enumeration is the process of identifying all subdomains associated with a main domain (e.g., finding blog.example.com, shop.example.com, etc., for example.com).

Subdomains Databases

Many databases and tools aggregate data from a variety of online sources, such as DNS databases, certificate transparency logs, APIs (e.g., Shodan, VirusTotal), and other publicly available sources to compile a comprehensive list of potential subdomains.

• projectdiscovery/chaos-client - Go client to communicate with Chaos DB API.

  chaos -d hackerone.com
  

• projectdiscovery/subfinder - Fast passive subdomain enumeration tool.

  subfinder -d hackerone.com
  

• owasp-amass/amass - In-depth attack surface mapping and asset discovery

  amass enum -d example.com
  

• Findomain/Findomain - The complete solution for domain recognition.

  findomain -t example.com -u /tmp/example.com.out
  

Bruteforce Subdomains

Subdomain brute-forcing is a technique used to discover subdomains of a target domain by systematically trying out potential subdomain names against it. This is done by using a predefined list of common or likely subdomain names, known as a wordlist. Each word in the wordlist is appended to the target domain (e.g., admin.example.com, mail.example.com) to check if it resolves to a valid subdomain.

• assetnote/wordlists
• danielmiessler/SecLists/Discovery/DNS
• jhaddix/all.txt

Unlike passive subdomain enumeration, which relies on existing data from sources, brute-forcing actively queries DNS records to discover live subdomains that may not be listed in public databases.

• infosec-au/altdns - Generates permutations, alterations and mutations of subdomains and then resolves them.

  altdns.py -i /tmp/inputdomains.txt -o /tmp/out.txt -w ./words.txt
  

• owasp-amass/amass - In-depth attack surface mapping and asset discovery.

  amass enum -active -brute -o /tmp/hosts.txt -d $1
  

• projectdiscovery/dnsx - A fast and multi-purpose DNS toolkit allow to run multiple DNS queries of your choice with a list of user-supplied resolvers.

  dnsx -silent -d facebook.com -w dns_worldlist.txt
  

• subfinder/goaltdns - A permutation generation tool written in golang.

  altdns -l ./input_domains.txt -o ./output.txt
  

Certificate Transparency Logs

Certificate Transparency (CT) logs are public databases that record all SSL/TLS certificates issued by certificate authorities (CAs). These logs are designed to improve the security and transparency of the SSL/TLS ecosystem by making it easier to monitor and audit certificates.

• CertStream Calidog
• Meta Certificate Transparency
• Google Certificate Transparency

DNS Resolution

Once you've generated a list of potential subdomains, the next step is to resolve them to retrieve their DNS records (A and AAAA) to obtain their IPv4 and IPv6 addresses.

• blechschmidt/massdns

  cat /tmp/results_subfinder.txt | massdns -r ./resolvers.txt -t A -o S -w /tmp/results_subfinder_resolved.txt
  

• projectdiscovery/dnsx - a fast and multi-purpose DNS toolkit allow to run multiple DNS queries of your choice with a list of user-supplied resolvers.

  subfinder -silent -d hackerone.com | dnsx -silent -a -resp
  subfinder -silent -d hackerone.com | dnsx -silent -cname -resp
  subfinder -silent -d hackerone.com | dnsx -silent  -asn
  echo 173.0.84.0/24 | dnsx -silent -resp-only -ptr
  echo AS17012 | dnsx -silent -resp-only -ptr 
  

Technology Discovery

Technology discovery is the process of identifying the underlying technologies, software, and frameworks used by a website or digital infrastructure. This often includes detecting web servers, CMS platforms, programming languages, databases, JavaScript libraries, and other software components.

• projectdiscovery/httpx - A fast and multi-purpose HTTP toolkit that allows running multiple probes using the retryablehttp library.

  httpx -u 'https://example.com' -title -tech-detect -status-code -follow-redirects
  

• projectdiscovery/wappalyzergo - A high performance go implementation of Wappalyzer Technology Detection Library.

• michenriksen/aquatone - A Tool for Domain Flyovers

  cat hosts.txt | aquatone -ports 80,443,3000,3001
  

• rverton/webanalyze - Port of Wappalyzer in Go

  webanalyze -host example.com -crawl 1
  

• wappalyzer - Identify technologies on websites.

Subdomain Takover

A subdomain takeover is a type of security vulnerability that occurs when a subdomain (e.g., sub.example.com) is still live but its DNS records point to a service or platform (like AWS S3, GitHub Pages, or Heroku) that is no longer active or properly configured. This situation can allow an attacker to claim the unclaimed resource and take control of the subdomain, enabling them to host malicious content or impersonate the legitimate website.

For example, if sub.example.com points to an AWS S3 bucket that has been deleted or abandoned, an attacker could create a new S3 bucket with the same name, gaining control over the subdomain and potentially causing security risks, like phishing attacks or reputational damage to the main domain.

Refer to EdOverflow/can-i-take-over-xyz for a list of services and guidance on claiming subdomains with dangling DNS records.

• projectdiscovery/nuclei-templates/http/takeovers - Community curated list of templates for the nuclei engine to find security vulnerabilities.

  nuclei -t nuclei-templates/http/takeovers -u https://example.com
  

• anshumanbh/tko-subs - A tool that can help detect and takeover subdomains with dead DNS records

  ./bin/tko-subs -domains=./lists/domains_tkos.txt -data=./lists/providers-data.csv  
  

References

• Subdomain Takeover: Proof Creation for Bug Bounties - Patrik Hudak (@0xpatrik) - May 21, 2018
• Subdomain Takeover: Basics - Patrik Hudak (@0xpatrik) - June 27, 2018

Share this content