4 - Subdomains - JA Smith

# Introduction - Subdomains are extensions of the main domain, often created to organize and separate different sections or functionalities of a website - For example, a company might use `blog.example.com` for its blog, `shop.example.com` for its online store, or `mail.example.com` for its email services - Subdomains often host valuable information and resources that aren't directly linked from the main website such as - Development and staging environments - Hidden login portals - Legacy apps - Sensitive info # Subdomain Enumeration - Subdomains are typically represented by A or AAAA records, which map the subdomain name to its corresponding IP address - CNAME records may also be used to create aliases for subdomains, pointing them to other domains or subdomains - Subdomain enumeration approaches - Active enum: - DNS zone transfer - Brute-force enum with `dnsenum`, `ffuf`, or `gobuster` - Passive enum: - Certificate transparency (CT) logs - Google dorks techniques like `site:xxx ## Subdomain Brute-forcing - Common tools |Tool|Description| |---|---| |[dnsenum](https://github.com/fwaeytens/dnsenum)|Comprehensive DNS enumeration tool that supports dictionary and brute-force attacks for discovering subdomains.| |[fierce](https://github.com/mschwager/fierce)|User-friendly tool for recursive subdomain discovery, featuring wildcard detection and an easy-to-use interface.| |[dnsrecon](https://github.com/darkoperator/dnsrecon)|Versatile tool that combines multiple DNS reconnaissance techniques and offers customisable output formats.| |[amass](https://github.com/owasp-amass/amass)|Actively maintained tool focused on subdomain discovery, known for its integration with other tools and extensive data sources.| |[assetfinder](https://github.com/tomnomnom/assetfinder)|Simple yet effective tool for finding subdomains using various techniques, ideal for quick and lightweight scans.| |[puredns](https://github.com/d3mondev/puredns)|Powerful and flexible DNS brute-forcing tool, capable of resolving and filtering results effectively.| ```bash dnsenum --enum inlanefreight.com -f /usr/share/seclists/Discovery/DNS/subdomains-top1million-20000.txt -r ``` ![[images/Pasted image 20251027145129.png]] ## DNS Zone Transfers ![[images/Pasted image 20251027142144.png]] - Zone transfers are designed for replicating DNS records between name servers - Essentially a copy of all DNS records within a zone - Crucial process essential for consistency and redundancy across DNS servers - While zone transfers are essential for legitimate DNS mgmt, a misconfigured DNS server can transform this process into a significant vuln - Core issue lies in the access controls governing who can initiate a zone transfer ```bash dig axfr @nsztm1.digi.ninja zonetransfer.me #insert @namesever or @DNS_server ``` ![[images/Pasted image 20251027145050.png]] ## VHosts - Virtual hosts (vhosts) correspond to the ability of web servers to distinguish between multiple websites or applications sharing the same IP address - This technique is achieved by leveraging the `HTTP Host` header, a piece of information included in every `HTTP` request sent by a web browser - Primary diff b/t vhosts and subdomains is their relationship to DNS and the web server's configuration - Subdomains = extensions of a main domain name (e.g., `blog.example.com` is a subdomain of `example.com`) - Typically have their own `DNS records`, pointing to either the same IP address as the main domain or a different one - Used to organize different sections or services of a website - Vhosts = configurations within a web server that allow multiple websites or applications to be hosted on a single server - Can be associated with TLDs or subdomains - Each vhost can have its own separate configuration, enabling precise control over how requests are handled - If a vhost does not have a DNS record, you can still access it by modifying the `/etc.hosts` file on the Kali host, which bypasses DNS resolution - Websites often have subdomains that are not public and won't appear in DNS records - Such subdomains are only accessible internally or through specific configurations - VHost fuzzing is a technique to discover public and non-public subdomains and vhosts by testing various hostnames against a known IP address ### Types of Virtual Hosting 1. Name-Based: This method relies solely on the `HTTP Host header` to distinguish between websites. It is the most common and flexible method, as it doesn't require multiple IP addresses. It’s cost-effective, easy to set up, and supports most modern web servers. However, it requires the web server to support name-based `virtual hosting` and can have limitations with certain protocols like `SSL/TLS`. 2. IP-Based: This type of hosting assigns a unique IP address to each website hosted on the server. The server determines which website to serve based on the IP address to which the request was sent. It doesn't rely on the `Host header`, can be used with any protocol, and offers better isolation between websites. Still, it requires multiple IP addresses, which can be expensive and less scalable. 3. Port-Based: Different websites are associated with different ports on the same IP address. For example, one website might be accessible on port 80, while another is on port 8080. ### Vhost lookup ![[images/Pasted image 20251027143434.png]] ### Vhost Discovery Tools |Tool|Description|Features| |---|---|---| |[gobuster](https://github.com/OJ/gobuster)|A multi-purpose tool often used for directory/file brute-forcing, but also effective for virtual host discovery.|Fast, supports multiple HTTP methods, can use custom wordlists.| |[Feroxbuster](https://github.com/epi052/feroxbuster)|Similar to Gobuster, but with a Rust-based implementation, known for its speed and flexibility.|Supports recursion, wildcard discovery, and various filters.| |[ffuf](https://github.com/ffuf/ffuf)|Another fast web fuzzer that can be used for virtual host discovery by fuzzing the `Host` header.|Customizable wordlist input and filtering options.| - `gobuster` example ```bash gobuster vhost -u http://inlanefreight.htb:<port> -w /usr/share/seclists/Discovery/DNS/subdomains-top1million-20000.txt --append-domain # --append-domain flag appends the base domain to each word in the wordlist ``` ![[images/Pasted image 20251027144926.png]] - `fuff` example ```bash ffuf -w /usr/share/seclists/Discovery/DNS/subdomains-top1million-20000.txt:FUZZ -u http://inlanefreight.htb:PORT -H "Host: FUZZ.inlanefreight.htb" -fs 116 #change filter size based on output ``` ![[images/Pasted image 20251027144946.png]]