introduce:
The early information collection in a normal penetration test is very important. When one more asset exposure surface is found, there may be one more attack point, and it is more likely to take down the target system. Most of the normal collection of sub-domain names is through sub-domain name blasting , or domain transmission vulnerabilities, etc., here is a summary of subdomain enumeration, in order to better understand the principles and means of subdomain collection;
In addition, some basic knowledge still needs to be understood. Common DNS record types are as follows. In addition, the default TCP/UDP port number is 53:
A IP address record, which records the IP address corresponding to a domain name AAAA IPv6 address record, records the IPv6 address corresponding to a domain name CNAME record, records the alias name of a host MX Email exchange record, records the IP address corresponding to a mail domain name, such as root @xxxx.com NS domain name server record, which records which domain name server resolves the domain name PTR reverse record, that is, a record from the IP address to the domain name TXT records the relevant text information of the domain name
Normally, we can use NS to obtain the dns server of the URL, and we can specify the DNS server by ourselves:
nslookup -qt=NS baidu.com 8.8.8.8
Subdomain blasting:
This is very simple. The main thing is to use tools and dictionaries to blast and enumerate subdomain names. The number of enumerations depends on the quality of our dictionaries and the quality of the tools. It is likely to trigger an alarm, and the subdomains we found are not comprehensive, but as the most common and easy-to-use method, it is still very important:
Three important tools + dictionary + dns server for subdomain blasting:
The first is the dictionary. There are many addresses on the Internet where you can download dictionaries. You can download them by yourself, but most dictionaries contain a lot of garbage data and are not comprehensive. This requires manual update of the dictionary. The dictionary should not be too large, too much time and cost. High, and if the thread setting is high, there will be packet loss. The most common is that the results of each blasting are different;
The choice of dns server depends on whether the domain name service you blast is domestic or foreign. After confirming this, you can choose the dns server. Here are a few recommendations:
Public dns: 114.114.114.114 and 114.114.115.115
Ali DNS: 223.5.5.5 and 223.6.6.6
OpenDNS: 208.67.222.222 and 208.67.220.220
Google DNS: 8.8.8.8 and 8.8.4.4
Tool selection, here I often use Layer and ksubdomain,
ksubdomain address:
https://github.com/knownsec/ksubdomain
Unless you want to modify the code and compile it yourself, you can directly release the executable file next week. The command is as follows:
ksubdomain -d baidu.com -f subdomain.txt -ttl -b 1k -o /home/dnsscan/out.txt
The result can be split using awk: awk '{print $1,$3,$3,$7}' out.txt
Although using -b reduces the speed, there is still a packet loss problem. Although it is very fast, the packet loss may cause incomplete scanning.
Layer address:
https://github.com/euphrat1ca/LayerDomainFinder
Layer is used under windows, which is convenient for Xiaobai to operate. You can set up the dns server by yourself. The speed is not as fast as ksubdomain, but it is still possible:
In addition, there are many blasting tools on the Internet, so I won’t list them here. You can download and test them yourself.
search engine:
In addition, you can use search engines to find:
google: site:target.com
bing: site:target.com
Zhong Kui's Eye: site=target.com
Certificate Transparency:
Certificate Transparency (Certificate Transparency) is a program of Certificate Authorities that publish each SSL/TLS certificate to a public log. An SSL/TLS certificate usually includes domain name, subdomain name and email address. The easiest way to find out which certificate a domain belongs to is to use a search engine to search some public CT logs.
A mandatory requirement for the Google Chrome web browser went into effect requiring all newly issued TLS certificate authorities to comply with the Chromium Certificate Transparency (CT) policy. Under this mandate, websites must ensure that publicly trusted certificates issued by Certificate Authorities (CAs) appear in CT logs. Otherwise, Chrome will display an error message to visitors warning them that the site is not CT compliant and will prevent subresources served over HTTPS connections from loading correctly.
https://crt.sh/ https://search.censys.io/certificates https://ui.ctsearch.entrust.com/ui/ctsearchui
Or use the tool ctrf:
https://github.com/UnaPibaGeek/ctfr
Use the command: python3 ctfr.py -d test.com
SAN (Subject Alternate Name) Subject Alternative Name:
SAN (Subject Alternate Name) Subject Alternative Name, Subject Alternative Name Certificate Simply put, when multiple domain names are required and used for various services, SAN certificates can be used. Allows the use of the subjectAltName field in security certificates to associate various values with the certificate, known as subject alternative names. The name may include: IP address, DNS name, etc.
工具:the-art-of-subdomain-enumeration
https://github.com/appsecco/the-art-of-subdomain-enumeration
python3 san_subdomain_enum.py www.baidu.com
Information disclosure:
GitHub:
github can be searched directly, but there are many contents, it is best to cooperate with tools, you can use the tool github-subdomains:
https://github.com/gwen001/github-subdomains
crossdomain.xml:
Access the cross-domain policy file crossdomain.xml file:
robots.txt
Robots.txt leads to directory or subdomain disclosure:
CSP(Content-Security-Policy):
If csp is set, there may be subdomains in it:
You can use the tool csprecon to obtain in batches:
https://github.com/edoardottt/csprecon
apt install gccgo-go
apt install golang-go
go install github.com/edoardottt/csprecon/cmd/csprecon@latest
sitemap.xml
The website address file sitemap.xml leads to information disclosure:
There is a leak on the page:
Jumps in js or html may hide some subdomains, which can be crawled with crawler tools, and gospider is recommended here:
https://github.com/jaeles-project/gospider
DNS Domain Transfer Vulnerability:
The so-called domain transfer vulnerability means that any machine can pretend to be a backup server and send a domain transfer request to the main server. Mainly via AXFR and IXFR zone transfers:
AXFR: full region transfer, completely transfers the entire region database IXFR: incremental region transfer, an optional query type can be used at this time, allowing the secondary server to find only some region changes for the region copy and the source region (can be another Synchronization between primary or secondary zone replicas maintained by DNS servers
You can use nslookup, here you can use freebuf to test casually, and when there is a vulnerability, use ls to print out the URL:
You can also use dig, first use nslookup to get the server address:
nslookup -qt=NS baidu.com
dig @110.242.68.134 baidu.com
dig @110.242.68.134 -t axfr baidu.com
This is only for testing. When there is a domain transmission vulnerability, you can use axfr to synchronize the URL of the main domain server
Of course, you can also use nmap test
nmap --script dns-zone-transfer.nse --script-args "dns-zone-transfer.domain=vulhub.org" -Pn -p 53 192.168.101.152
Tool collection:
The project OneForAll with a better collection of these functions:
https://github.com/shmilylty/OneForAll
OneForAll basically covers the above methods, and it is also very simple and practical to use. It is recommended to use:
python3 oneforall.py --target dxy.cn --dns False run
A csv file will be generated, and when you open it, you can see that the scan results are relatively comprehensive:
end:
Basically, the acquisition of subdomain names is about the above. The use of tools can speed up our understanding of assets, but we still need a little understanding of the principles of the tools, so that we can test more flexibly in daily operations.