Subdomain Discovery & Analysis

Expanding attack surface through comprehensive subdomain enumeration

Subdomain Types & Classifications

Infrastructure Subdomains

mail.*
Email servers (Exchange, Postfix)
ftp.*
File transfer servers
dns.*
DNS servers
ns1./ns2.*
Name servers
mx1./mx2.*
Mail exchange servers

Application Subdomains

www.*
Web servers
api.*
API endpoints
dev./test./staging.*
Development environments
admin./management.*
Administrative interfaces
portal./dashboard.*
User portals

Service-Specific Subdomains

vpn.*
VPN access points
remote.*
Remote access services
citrix.*
Citrix environments
exchange.*
Microsoft Exchange
sharepoint.*
SharePoint servers

Subdomain Discovery Tools

Amass - Comprehensive Enumeration

# Comprehensive subdomain enumeration amass enum -active -brute -d target.com -o subdomains.txt

Certificate Transparency

# Certificate transparency lookup curl -s "https://crt.sh/?q=%.target.com&output=json" | jq -r '.[].name_value' | sed 's/\*\.//g' | sort -u

Brute Force Discovery

# Subdomain brute force with gobuster gobuster dns -d target.com -w /usr/share/SecLists/Discovery/DNS/fierce-hostlist.txt
# Sublist3r with brute force sublist3r -d target.com -b -t 100

Additional Tools

# Assetfinder assetfinder --subs-only target.com # Findomain findomain -t target.com # DNS enumeration with dnsrecon dnsrecon -d target.com -D /usr/share/wordlists/dnsmap.txt -t brt

Subdomain Analysis Workflow

# 1. Collect subdomains from multiple sources amass enum -d target.com > amass.txt sublist3r -d target.com -o sublist3r.txt assetfinder --subs-only target.com > assetfinder.txt
# 2. Merge and deduplicate cat *.txt | sort -u > all_subdomains.txt
# 3. Check which are alive httprobe < all_subdomains.txt > live_subdomains.txt
# 4. Screenshot all live subdomains cat live_subdomains.txt | aquatone -ports 80,443,8080,8443
# 5. Content discovery on each while read subdomain; do echo "Scanning $subdomain" gobuster dir -u $subdomain -w /usr/share/wordlists/dirb/common.txt -o "gobuster_$subdomain.txt" done < live_subdomains.txt

Advanced Subdomain Techniques

DNS Zone Walking

# DNSSEC zone walking ldns-walk target.com # DNSRecon zone walking dnsrecon -d target.com -t zonewalk

Reverse DNS Lookups

# Reverse DNS on IP ranges for ip in $(seq 1 254); do dig -x 192.168.1.$ip +short done # Mass reverse DNS masscan -pU:53 192.168.1.0/24 | grep "Discovered open port" | awk '{print $6}' | while read ip; do dig -x $ip +short; done

Certificate Transparency Mining

# Multiple CT log sources curl -s "https://crt.sh/?q=%.target.com&output=json" curl -s "https://api.certspotter.com/v1/issuances?domain=target.com" # Historical certificate data curl -s "https://crt.sh/?q=target.com&output=json" | jq -r '.[].name_value' | grep -Po '(\w+\.)*target\.com' | sort -u

Search Engine Discovery

# Google dorking for subdomains site:*.target.com -www site:target.com inurl:subdomain # Bing and other search engines site:target.com -site:www.target.com

Subdomain Validation and Analysis

HTTP Response Analysis

# Analyze HTTP responses while read subdomain; do echo "=== $subdomain ===" curl -s -I $subdomain | head -10 echo "" done < live_subdomains.txt

Technology Stack Detection

# Technology fingerprinting while read subdomain; do echo "=== $subdomain ===" whatweb $subdomain echo "" done < live_subdomains.txt

SSL Certificate Analysis

# SSL certificate inspection while read subdomain; do echo "=== $subdomain ===" echo | openssl s_client -connect $subdomain:443 2>/dev/null | openssl x509 -noout -text | grep -E "(Subject:|DNS:)" echo "" done < live_subdomains.txt

Subdomain Monitoring and Changes

Continuous Monitoring

Subdomain Monitoring Strategy:
  • Set up automated daily/weekly subdomain discovery
  • Monitor certificate transparency logs for new certificates
  • Track changes in DNS records and IP assignments
  • Alert on new subdomains or changes in existing ones
  • Maintain historical data for trend analysis
#!/bin/bash # Subdomain monitoring script DOMAIN="target.com" DATE=$(date +%Y%m%d) # Current subdomain discovery amass enum -d $DOMAIN > subdomains_$DATE.txt # Compare with previous scan if [ -f "subdomains_previous.txt" ]; then diff subdomains_previous.txt subdomains_$DATE.txt > changes_$DATE.txt if [ -s changes_$DATE.txt ]; then echo "New subdomains discovered!" | mail -s "Subdomain Changes" admin@company.com fi fi cp subdomains_$DATE.txt subdomains_previous.txt

Subdomain Takeover Detection

# Check for subdomain takeovers subjack -w subdomains.txt -t 100 -timeout 30 -o results.txt -c subjack-fingerprints.json # SubOver for subdomain takeovers python3 subover.py -l subdomains.txt
Subdomain Takeover Indicators:
  • CNAME records pointing to unclaimed services
  • 404 errors on subdomains with active DNS records
  • Third-party service error messages
  • Unclaimed cloud resources (S3 buckets, Azure blobs)

Cloud and CDN Subdomain Discovery

Cloud Service Enumeration

# AWS S3 bucket enumeration aws s3 ls s3://target-company- aws s3 ls s3://company-target- # Google Cloud Storage gsutil ls gs://target-* gsutil ls gs://*-target* # Azure Blob Storage az storage container list --account-name targetcompany

CDN Edge Discovery

# CDN edge server discovery dig target.com dig cdn.target.com dig static.target.com # Cloudflare specific dig target.com @1.1.1.1 dig target.com @8.8.8.8

Wildcard Domain Handling

Wildcard Detection

# Test for wildcard DNS dig random123456.target.com dig nonexistent.target.com # Wildcard filtering in tools amass enum -d target.com -norecursive -noalts

Subdomain Bruteforcing with Wildcards

# Handle wildcards in gobuster gobuster dns -d target.com -w /usr/share/wordlists/dnsmap.txt --wildcard # MassDNS with wildcard resolution massdns -r resolvers.txt -t A -o S subdomains.txt | grep -v "wildcard"

Reporting and Documentation

Subdomain Categorization

Critical Assets
Admin panels, databases, internal tools
Development/Testing
Staging, dev, test environments
Public Services
Web apps, APIs, customer portals
Infrastructure
Mail, DNS, VPN, monitoring

Risk Assessment Matrix

Subdomain Risk Factors:
  • Exposure Level: Internal vs. public-facing
  • Sensitivity: Data handled or systems accessed
  • Authentication: Login requirements and strength
  • Patch Level: Software versions and known vulnerabilities
  • Network Position: Access to internal networks

Integration with Attack Planning

Attack Surface Expansion

# Attack surface analysis script #!/bin/bash echo "=== SUBDOMAIN ATTACK SURFACE ANALYSIS ===" echo "1. Total Subdomains Discovered: $(wc -l < all_subdomains.txt)" echo "2. Live Subdomains: $(wc -l < live_subdomains.txt)" echo "3. Web Applications: $(grep -c 'HTTP' http_responses.txt)" echo "4. Admin Interfaces: $(grep -iE '(admin|manage|control)' all_subdomains.txt | wc -l)" echo "5. Development Sites: $(grep -iE '(dev|test|staging)' all_subdomains.txt | wc -l)"
High-Priority Subdomain Targets:
  • Development and staging environments (often less secure)
  • Administrative interfaces and panels
  • API endpoints and microservices
  • Internal tools and monitoring systems
  • Legacy applications and forgotten subdomains