For penetration testing, the collection of subdomain names can not only improve the information but also expand the attack surface.
This article introduces 5 methods of seed domain name mining
Table of contents
1. Subdomain mining tool
This article shares two subdomain mining tools, jump links:
2. Third-party websites
1) Online subdomain blasting website: http://z.zcjun.com/
2)VT:virustotal.com
VirusTotal is a website that provides free suspicious file analysis, URL analysis and other services.
Enter the official website and click search
the module, enter the main domain name and press Enter. Click RELATIONS
the module on the scan results page to view the subdomain name:
3)DNSdumpster:dnsdumpster.com
DNSdumpster is a free domain name research tool that can be used to find hosts related to domain names.
After entering the domain name and pressing Enter, the scan results will appear below:
Downloadable scan results:
3. Search engine
1) Baidu
grammar:
site:xxx.com
2) Bing
site:xxx.com
4. Certificate Transparency Discovery Subdomain Name
crt.sh:https://crt.sh
5. DNS domain transfer vulnerability discovery subdomain name
DNS zone transfer refers to a backup server using data from the main server to refresh its own zone database. The purpose is to do redundant backup and prevent DNS resolution from being unavailable when the main server fails. However, the main server does not control the access to the backup server for requests, and responds to the identity verification, so this vulnerability occurs.
The dns-zone-transfer in Vulhub is a DNS domain transfer vulnerability, and readers can reproduce it by themselves.
1)nslookup
Basic principles and usage reference of nslookup: [Network Security | Information Collection] Judgment and Bypass of CDN, Basic Use of nslookup | CSDN@Qiu Shuo
for example:
2) Linux commands
- Send a dns request to obtain the A record of the domain name on the target dns server
dig @yourip xxx.com
- Send axfr type dns request
dig @yourip -t axfr xxx.com
3)dnswalk
The dnswalk tool can use DNS zone transfers to obtain the complete DNS records for a specific domain name. It requests the full DNS zone of a domain name from the primary DNS server and analyzes and displays all records after receiving the response. This is helpful for identifying potential DNS configuration issues, finding hidden subdomains, and conducting security assessments.
4)dnsenum
dnsenum
It is a multifunctional DNS enumeration tool that can perform various DNS query and enumeration operations, such as obtaining host names from domain name servers, enumerating subdomains, listing MX records, etc.dnsenum
You can also try to guess a domain name or subdomain name by using a dictionary file.