Subdomain enumeration

Via manual OSINT

CRT.SH

A simple request to https://crt.sh/ (a website which lists valid TLS/SSL certificates for publically accessible websites) using the domain name of our target website could yield results.

Google Dorking

The Google search engine lets us use "dorks", which are additional characters or formatting that allow us to narrow down our search. A good example would be the "site:" dork, which will only show us results relevant to the specific domain name we gave it. Knowing this, combining our known domain with a wildcard operator would yield results. Example : site:"*.laposte.fr"

Via automated tools

DNSRecon

dnsrecon -t brt -d target.whatever

Sublist3r

sublist3r.py -d target.whatever

Fuff

ffuf -w /usr/share/wordlists/SecLists/Discovery/DNS/namelist.txt -H "Host: FUZZ.target.whatever" -u http://target_ip -fs {size_of_the_average_response}

PreviousSQLMap NextDirectory enumeration

Last updated 2 years ago

Was this helpful?