37:21
Subdomain Hunting Tutorial – Find Hidden Subdomains Like a Pro | Bug Bounty Recon Guide 🤑❤️🔥
Murari Tech World 75
Overview
This video is a tutorial on subdomain enumeration for bug bounty hunting and penetration testing. It explains what subdomains are, why they are important targets, and demonstrates various techniques and tools for discovering them. The presenter emphasizes the value of finding hidden or forgotten subdomains, which can often be overlooked and present security vulnerabilities. The tutorial covers both automated and manual methods, encouraging viewers to combine approaches for maximum effectiveness in reconnaissance.
How was this?
Save this permanently with flashcards, quizzes, and AI chat
Chapters
- Subdomains are extensions of a main domain (e.g., blog.example.com, api.example.com).
- They are often used to organize different services or content of a website.
- Finding subdomains is a crucial step in bug bounty hunting and penetration testing because they can host vulnerable applications or services.
- Attackers can exploit misconfigurations or vulnerabilities on subdomains that might not be actively monitored on the main domain.
Understanding subdomains helps you identify potential attack surfaces that might be less secured than the primary website.
The presenter might use an example like 'mail.google.com' or 'developer.apple.com' to illustrate what a subdomain is.
- Automated tools can quickly scan for a large number of subdomains.
- Tools like Amass, Subfinder, and Assetfinder are commonly used for this purpose.
- These tools often leverage various techniques such as DNS brute-forcing, certificate transparency logs, and search engine scraping.
- The output from these tools provides a list of potential subdomains to investigate further.
Automated tools significantly speed up the initial reconnaissance phase, allowing you to gather a broad list of potential targets efficiently.
Demonstration of running a command like 'subfinder -d example.com' and showing the output list of found subdomains.
- Search engines (like Google, Bing) can reveal subdomains through advanced search operators (e.g., 'site:*.example.com').
- Certificate Transparency (CT) logs record SSL/TLS certificates issued for domains, often revealing subdomains that might not be discoverable through other means.
- Websites like crt.sh can be used to query CT logs for a specific domain.
- Combining search engine dorks with CT log analysis provides a more comprehensive view of subdomains.
These methods tap into publicly available information that attackers might also use, helping you find subdomains that are not actively advertised.
Showing how to use Google's `site:*.example.com -www.example.com` search query or browsing crt.sh for a domain to find associated certificates and subdomains.
- DNS brute-forcing involves trying common subdomain names against a target domain.
- Tools like ffuf or dnsrecon can be used with wordlists to perform brute-force attacks.
- Understanding DNS records (A, AAAA, CNAME, MX) is important for validating subdomain existence and understanding their purpose.
- Zone transfers, though rarely successful, can sometimes reveal a large number of subdomains if misconfigured.
Directly querying DNS servers and using brute-force methods can uncover subdomains that are not indexed by search engines or logged in CT.
Using a tool like `dnsrecon` with a wordlist to attempt to discover subdomains for a target domain.
- After automated discovery, manual verification is essential to confirm the existence and accessibility of subdomains.
- This involves checking if subdomains resolve to IP addresses and if they host active web servers.
- Tools like `ping`, `dig`, or `nslookup` can be used for basic DNS resolution checks.
- Accessing subdomains via a web browser or tools like `curl` helps determine if they are live and what content they serve.
Manual verification ensures you are focusing your efforts on real, accessible subdomains, filtering out false positives from automated tools.
Taking a discovered subdomain (e.g., `dev.example.com`) and using `ping dev.example.com` or opening it in a web browser to see if it loads a page.
- Combining multiple subdomain discovery tools and techniques yields the best results.
- Looking for forgotten or old subdomains that might still be active is a valuable strategy.
- Analyzing the technologies used on discovered subdomains can reveal further attack vectors.
- Understanding the target's infrastructure helps in predicting potential subdomain patterns.
A multi-faceted approach increases the likelihood of finding hidden or less obvious subdomains, maximizing your chances of discovering vulnerabilities.
Using the output from Amass, then cross-referencing with results from crt.sh and Google dorks, and finally manually checking each unique subdomain found.
Key takeaways
- Subdomains are critical attack vectors in security assessments because they are often less scrutinized than the main domain.
- A combination of automated tools (Amass, Subfinder) and manual techniques (search engines, CT logs) is most effective for comprehensive subdomain discovery.
- Certificate Transparency logs are a powerful, often overlooked, source for finding subdomains.
- Always manually verify discovered subdomains to confirm their existence and accessibility, filtering out false positives.
- Finding forgotten or old subdomains can lead to significant security findings.
- Understanding DNS and how subdomains are structured is fundamental to effective reconnaissance.
Key terms
SubdomainDomain Name System (DNS)ReconnaissanceBug Bounty HuntingPenetration TestingCertificate Transparency (CT) LogsDNS Brute-forcingZone TransferSSL/TLS CertificatesAttack Surface
Test your understanding
- Why is discovering subdomains a critical part of a penetration test?
- What are the main advantages of using automated subdomain discovery tools?
- How can Certificate Transparency logs be used to find subdomains?
- What steps should be taken after an automated tool identifies potential subdomains?
- Describe a strategy for combining different subdomain discovery techniques for better results.