Subdomain Enumeration – Recon part 2

Enumeración de subdominios – Recon parte 2

Inspired by part two of https://twitter.com/RogueSMG/status/1496217791976054784

Topics:

  • Set up your VPS server.
  • Subdomain enumeration

Set up your VPS server

To list subdomains of a goal, the easiest way is programmatic automation.

First of all we need to have a Linux-based operating system, such as the KaliLinux distribution that can be used as a virtual machine from Vmware in Windows.

But my recommendation is to buy a cheap VPS, it doesn't matter what provider it is, in my case I have chosen a VPS based on Ubuntu 20.04.

https://www.google.com/search?q=vps+cheap

After having access to the VPS by SSH we must install Go. We must go to the page https://go.dev/dl/ and locate the download of the "tar.gz" file for Linux. In my case, I have downloaded version 1.18.3 and this can change to a newer one when you read this entry.

The commands to download and install Go are as follows:

wget https://go.dev/dl/go1.18.3.linux-amd64.tar.gz tar -xvf go1.18.3.linux-amd64.tar.gz sudo mv go /usr/local export GOROOT=/usr/local /go export GOPATH=$HOME/go export PATH=$PATH:$GOROOT/bin:$GOPATH/bin source ~/.profile

To check if Go is installed correctly run the command "go version" in the terminal, you will get something like the following:

go version go1.18.3 linux/amd64

Passive subdomain enumeration

The tools to be used would be the following:

amass

https://github.com/OWASP/Amass

To install the version for Go run the following command.

go install -v github.com/OWASP/Amass/v3/...@master

If you have problems with the installation due to the version of Go, I recommend using version 1.18.3 as it is compatible with Amass.

You can also install Amass via Docker or by downloading the binary from releases. More information see its official GitHub repository.

To passively enumerate subdomains with Amass use the following command.

amass enum --passive -d starbucks.com

assetfinder

https://github.com/tomnomnom/assetfinder

Since this tool no longer has updates since 2020, it is likely that it will have installation problems.

You need to download the Go files and install directly from these files.

wget https://github.com/tomnomnom/assetfinder/archive/refs/tags/v0.1.1.zip unzip v0.1.1.zip -d assetfinder cd assetfinder/ cd assetfinder-0.1.1/ go env -w GO111MODULE=auto

Now run the tool with the following command to perform subdomain enumeration.

assetfinder --subs-only starbucks.com

subfinder

Facility

https://github.com/projectdiscovery/subfinder

go install -v github.com/projectdiscovery/subfinder/v2/cmd/subfinder@latest

Use

subfinder -d starbucks.com

The next two tools are optional, but they're pretty cool too.

findomain

https://github.com/Findomain/Findomain

This tool is very interesting because it uses different services for enumeration of subdomains, and it is compatible with Windows and Linux.

github-subdomains.py

As the name implies, it allows you to get subdomains of projects hosted in public GitHub repositories. You just need to set the token.

https://github.com/gwen001/github-search/blob/master/github-subdomains.py

Leave a Reply

Your email address will not be published. Required fields are marked *

Copyright @2022 Netploy Security. All Rights Reserved.

en_USEN
es_ESES en_USEN