Hunting Subdomains

Sublist3r

• Install on kali using apt install sublist3r

• Run a search using the syntax - sublist3r -d domain

Certificate Search

• Certificate Transparency (CT) logs

  • Publicly accessible logs of every SSL/TLS certificate created for a domain name

  • Purpose is to stop malicious and accidentally made certificates from being used

• Uses certificate fingerprinting

• Searchable databases of certificates

  • crt.sh

  • transparency report

OWASP Amass

• OWASP Amass

DNS Bruteforce

• Bruteforce DNS enumeration is the method of trying different subdomains from a list of commonly used subdomains

• dnsrecon -t brt -d TARGET_SITE