7

I need to find most subdomains of a domain. I know there are many options.

I've tried many available in Kali Linux:

dnsmap
dnsenum
dnsrecon
dnswalk
fierce
urlcrazy

Most of them only find 2 or 3 working subdomains, while using this online tool, it finds many more.

Since pentest-tools require to buy credits in order to work, I'm trying to find a tool that would retrieve similar results like it. I haven't been successful so far.

How can I get the best results from those tools?

schroeder
  • 123,438
  • 55
  • 284
  • 319
Philippe Delteil
  • 172
  • 1
  • 11
  • 3
    have you confirmed that the domains the pentest-tool found are legitimate? – schroeder Feb 27 '18 at 17:43
  • Yes, most of them are. – Philippe Delteil Feb 27 '18 at 17:58
  • 4
    Have you manually walked the results they gave you in an attempt to reproduce it? If you can, download an old copy of Sam Spade and see what that turns up. Also, take a look at SSL certificates; see if any of them include multiple domains in the list. – John Deters Feb 27 '18 at 18:14
  • This may give good ideas/introduction on the subject: https://blog.appsecco.com/a-penetration-testers-guide-to-sub-domain-enumeration-7d842d5570f6 – Patrick Mevzek Aug 12 '19 at 18:22

2 Answers2

7

The tool you linked explained their techniques:

 DNS zone transfer
 DNS enumeration based on a specially chosen wordlist
 Public search engine queries
 Word mutation techniques

The Kali tools you mentioned can do some of those things, but perhaps not all. You might need to combine them or configure them differently.

Without knowing the specifics of what one tool found that another did not, it will be difficult to devise a more technical answer.

schroeder
  • 123,438
  • 55
  • 284
  • 319
  • Hello, yes, I've noticed the explanation of the site's technique. I guess the most straightforward approach is to use most or all available recon tools and combine their results (and also add a way of testing the results in an automated way). – Philippe Delteil Mar 09 '18 at 17:13
2

Essentially, you need to look for zone cuts or authoritative NS records. A zone cut can be detected by checking the DNS response header for a NOERROR status when attempting a resolve a resource record of any type for that subdomain. An authoritative NS record can be found by asking a nameserver that the actual subdomain's zone lists (the parent domain might be able to answer, but that doesn't make it correct.) This presentation from the DNS Operations Analysis and Research Center elucidates.

I was able to demonstrate this by comparing the results between the answers to queries for recource records in websecurity.symantec.com. versus symantec.com. Notice how the nameserver authoritative for symantec.com. gives me the NS record for the websecurity.symantec.com. authoritative nameserver when I ask for its A record, even though an answer exists.

$ dig @8.8.4.4 IN NS symantec.com. | head -1
symantec.com.           3596    IN      NS      pdns1.ultradns.net.
*$ dig @8.8.4.4 IN NS websecurity.symantec.com. | head -1
websecurity.symantec.com. 542   IN      NS      k4.nstld.com.
$ dig @k4.nstld.com. IN A websecurity.symantec.com. | head -1
websecurity.symantec.com. 900   IN      A       155.64.49.125
*$ dig @pdns1.ultradns.net. IN A websecurity.symantec.com. | head -1
websecurity.symantec.com. 3600  IN      NS      j4.nstld.com.
Community
  • 1
Derek Callaway
  • 71
  • 3