Some Tools for Subdomain Enumeration
Hello guysđđ ,Prajit here from the BUG XS Team and Cyber Sapiens United LLP Cybersecurity and Red Team Intern, in this I am regularly given some interesting tasks, In my fifth task, I was given to search about different tools for subdomain enumeration an some dorks for sensitive information.
Part-A : Tools for Subdomain Enumeration
1. Cero: Cero will connect to remote hosts, and read domain names from the certificates provided during TLS handshake. Cero allows flexible specification of targets, including domain names, IP addresses, and CIDR ranges, with full support for IPv6. This is one of the best tool when it comes to enumeration of subdomains via CIDR Range.
Link: https://github.com/glebarez/cero
Command : cero cidr-ip
Image of Working:
2. Amass: The OWASP Amass Project performs network mapping of attack surfaces and external asset discovery using open source information gathering and active reconnaissance techniques. This is one of the best tools for subdomain enumeration as it derives domains from maximum sources. Also it gives active and passive option for subdomain enumeration , and passive mode is preferred mostly as it will not send any request on the server.
Link: https://github.com/OWASP/Amass
Command: amass enum -passive -d hedera.com
Image of Working:
Special Tip: You can add api keys of various source in the below given file in the path /root/.config/amass/config.ini
This will help you to get subdomains more accurately from different sources.
3. Spyse: With spyse , pentesters can check the endpoints for vulnerability, including subdomains in the development environment, technical domains open to the public, and much more. The free version shows up to 50 subdomains.
Link: https://spyse.com/tools/subdomain-finder
Image of Working:
1. Github-Subdomains: As google can be used to gather subdomains similarly, github subdomains can be used to gather subdomains from github.
Link: https://github.com/gwen001/github-subdomains
Command: github-subdomains -d hedera.com -t TOKENSFILE
Image of Working:
Part-B : Google Dorks for Sensitive Information Disclosure
1. inurl:pastebin âSHODAN_API_KEYâ
This is used to find private shodan api keys from pastebin.
2. intitle:âindex ofâ â/.git/configâ
This is used to find exposed git config file which can be further used to get sensitive information by applying git-dumper .
3. intitle:âindex ofâ â.ssh/authorized_keysâ
This is used to get ssh keys which then can be used to access server terminal and getting control.
4. intitle:âindex ofâ âdocker-compose.yamlâ
This file contains sensitive information like credentials and secret key sometimes.
5. intext:api_key filetype:log
This helps to find log file which contains api keys.
6. site:*/phpinfo.php intitle:âphpinfo()â
This is used to get exposed phpinfo.php files, which contain sensitive information sometimes as well as exact php versions.
7. DB_USERNAME filetype:env
This is used to get .env file which contains sensitive creds and information.
8. inurl:old âindex ofâ âwp-config.phpâ
This is used to get exposed config file having sensitive data.
9. inurl:wp-content/debug.log
This is used to get the debug log file.
10. +intext:âAWSTATS DATA FILEâ filetype:txt
Used to get AWS secret file.
This is all for todayâs writeup.
Thanks For Reading đ
Profile Links:
Twitter: https://twitter.com/SAPT01
LinkedIn: https://www.linkedin.com/in/prajit-sindhkar-3563b71a6/
Instagram: https://instagram.com/prajit_01?utm_medium=copy_link
BUG XS Official Website: https://www.bugxs.co/
