7.5 KiB
Web Attack Surface
Summary
Enumerate Subdomains
Subdomain enumeration is the process of identifying all subdomains associated with a main domain (e.g., finding blog.example.com
, shop.example.com
, etc., for example.com
).
Subdomains Databases
Many databases and tools aggregate data from a variety of online sources, such as DNS databases, certificate transparency logs, APIs (e.g., Shodan, VirusTotal), and other publicly available sources to compile a comprehensive list of potential subdomains.
-
projectdiscovery/chaos-client - Go client to communicate with Chaos DB API.
chaos -d hackerone.com
-
projectdiscovery/subfinder - Fast passive subdomain enumeration tool.
subfinder -d hackerone.com
-
owasp-amass/amass - In-depth attack surface mapping and asset discovery
amass enum -d example.com
-
Findomain/Findomain - The complete solution for domain recognition.
findomain -t example.com -u /tmp/example.com.out
Bruteforce Subdomains
Subdomain brute-forcing is a technique used to discover subdomains of a target domain by systematically trying out potential subdomain names against it. This is done by using a predefined list of common or likely subdomain names, known as a wordlist. Each word in the wordlist is appended to the target domain (e.g., admin.example.com, mail.example.com) to check if it resolves to a valid subdomain.
Unlike passive subdomain enumeration, which relies on existing data from sources, brute-forcing actively queries DNS records to discover live subdomains that may not be listed in public databases.
- infosec-au/altdns - Generates permutations, alterations and mutations of subdomains and then resolves them.
altdns.py -i /tmp/inputdomains.txt -o /tmp/out.txt -w ./words.txt
- owasp-amass/amass - In-depth attack surface mapping and asset discovery.
amass enum -active -brute -o /tmp/hosts.txt -d $1
- projectdiscovery/dnsx - A fast and multi-purpose DNS toolkit allow to run multiple DNS queries of your choice with a list of user-supplied resolvers.
dnsx -silent -d facebook.com -w dns_worldlist.txt
- subfinder/goaltdns - A permutation generation tool written in golang.
altdns -l ./input_domains.txt -o ./output.txt
Certificate Transparency Logs
Certificate Transparency (CT) logs are public databases that record all SSL/TLS certificates issued by certificate authorities (CAs). These logs are designed to improve the security and transparency of the SSL/TLS ecosystem by making it easier to monitor and audit certificates.
DNS Resolution
Once you've generated a list of potential subdomains, the next step is to resolve them to retrieve their DNS records (A and AAAA) to obtain their IPv4 and IPv6 addresses.
- blechschmidt/massdns
cat /tmp/results_subfinder.txt | massdns -r ./resolvers.txt -t A -o S -w /tmp/results_subfinder_resolved.txt
- projectdiscovery/dnsx - a fast and multi-purpose DNS toolkit allow to run multiple DNS queries of your choice with a list of user-supplied resolvers.
subfinder -silent -d hackerone.com | dnsx -silent -a -resp subfinder -silent -d hackerone.com | dnsx -silent -cname -resp subfinder -silent -d hackerone.com | dnsx -silent -asn echo 173.0.84.0/24 | dnsx -silent -resp-only -ptr echo AS17012 | dnsx -silent -resp-only -ptr
Technology Discovery
Technology discovery is the process of identifying the underlying technologies, software, and frameworks used by a website or digital infrastructure. This often includes detecting web servers, CMS platforms, programming languages, databases, JavaScript libraries, and other software components.
-
projectdiscovery/httpx - A fast and multi-purpose HTTP toolkit that allows running multiple probes using the retryablehttp library.
httpx -u 'https://example.com' -title -tech-detect -status-code -follow-redirects
-
projectdiscovery/wappalyzergo - A high performance go implementation of Wappalyzer Technology Detection Library.
-
michenriksen/aquatone - A Tool for Domain Flyovers
cat hosts.txt | aquatone -ports 80,443,3000,3001
-
rverton/webanalyze - Port of Wappalyzer in Go
webanalyze -host example.com -crawl 1
-
wappalyzer - Identify technologies on websites.
Subdomain Takover
A subdomain takeover is a type of security vulnerability that occurs when a subdomain (e.g., sub.example.com
) is still live but its DNS records point to a service or platform (like AWS S3, GitHub Pages, or Heroku) that is no longer active or properly configured. This situation can allow an attacker to claim the unclaimed resource and take control of the subdomain, enabling them to host malicious content or impersonate the legitimate website.
For example, if sub.example.com
points to an AWS S3 bucket that has been deleted or abandoned, an attacker could create a new S3 bucket with the same name, gaining control over the subdomain and potentially causing security risks, like phishing attacks or reputational damage to the main domain.
Refer to EdOverflow/can-i-take-over-xyz for a list of services and guidance on claiming subdomains with dangling DNS records.
-
projectdiscovery/nuclei-templates/http/takeovers - Community curated list of templates for the nuclei engine to find security vulnerabilities.
nuclei -t nuclei-templates/http/takeovers -u https://example.com
-
anshumanbh/tko-subs - A tool that can help detect and takeover subdomains with dead DNS records
./bin/tko-subs -domains=./lists/domains_tkos.txt -data=./lists/providers-data.csv