Climbing Mount WebAppSec – Discovering Subdomains

Following Jason Haddix’s Bug Hunters Methodology I’m at phase two: Discovery.

Discovering the domain falls into two parts. The first to the left of the domain (subdomains) and the second to the right of the domain (Directories/Files).

In this post I will cover subdomains.

The premise in discovering subdomains is to firstly enlarge the attack surface and in the process find some easier wins. Subdomains may be forgotten in the mists of time; for example, originally set up for testing purposes, or a myriad other reasons that make them of interest to us.

There’s a lot of solid tools out there to brute-force discovery of subdomains. After several weeks of testing most of them I have settled on DNScan, Sublist3r (with Subbrute) & brutesubs.

Installation of DNScan & Sublist3r is very straight forward.  My advice is to install TrustedSec’s Penetration Testers Framework (PTF) and add these tools to the collection – you’ll need many more tools moving forward.

Here is my blog post on the framework and if you want me to blog the process of adding new tools – complete with one word launcher from anywhere in your system – let me know on Twitter.

Brutesubs setup involves a little more as it is in a Docker container, but well worth the effort as in addition to Sublist3r it utilises: Gobuster, enumall, & altdns.

A VERY important aspect of this job are the wordlists fed to the tools.

My advice at this stage is to go and grab all of the wordlists inside SecLists on Github (courtesy of Jason Haddix (again) and Daniel Miessler). Place them somewhere handy as we’ll also be using these lists when we come to discovering directories/files.

Whilst you’re at this, hop over to read Bitquark’s blog post on the “most popular subdomains on the internet”. After which download the wordlists from the DNSpop repository on Github.

The wordlists relevant to us on SecLists can be found in the “DNS” folder contained within “Discovery”. You’ll find a Bitquark “top 100K” in there also.

Let’s roll with a few examples:

First up Sublist3r:

Sublist3r is python tool that is designed to enumerate subdomains of websites through OSINT. It helps penetration testers and bug hunters collect and gather subdomains for the domain they are targeting. Sublist3r enumerates subdomains using many search engines such as Google, Yahoo, Bing, Baidu, and Ask. Sublist3r also enumerates subdomains using Netcraft, Virustotal, ThreatCrowd, DNSdumpster and ReverseDNS.

subbrute was integrated with Sublist3r to increase the possibility of finding more subdomains using bruteforce with an improved wordlist. The credit goes to TheRook who is the author of subbrute.

~$ sublist3r -b -d domain

-b for subbrute -d for domain. Simple as that! No wordlist needed.

Next up:


dnscan is a python wordlist-based DNS subdomain scanner.

The script will first try to perform a zone transfer using each of the target domain’s nameservers.

If this fails, it will lookup TXT and MX records for the domain, and then perform a recursive subudomain scan using the supplied wordlist.

Comes with its own wordlists but we can add one from Bitquark if we please:

~$ dnscan -d domain -w /pentest/seclists/Discover/DNS/dnspop/results/bitquark-2016-subdomains-popular-1000

-d for domain & -w for wordlist.

And lastly Brutesubs. Slightly different in that we have to alter the sample-env file to set out TARGET, DIRNAME and wordlists and then save as .env

Ensure you remove all of the comments as well.

Once complete (and you’re in the right directory) simply run:

~$ docker-compose build

After completion check your new directory within “myoutdir” and “finalresults.txt”.

Hope this helps and feel free to hit me up on Twitter if you have any issues.