Subdomains

• Subdomains might have staging environments where there are relaxed security measures
• Admin panels
• legacy/outdated apps with known vulnerabilities

• Internal data, config files, sensitive information

• Active Subdomain Enum:

  • Domain Transfer
  • gobuster, dnsenum, ffuf

• Passive

  • Public repo of SSL/TLS certs (older ones)
  • search engines: (site:)

• 

Tools:

• dnsenum
  • dns records enum
  • bruteforcing subdomains
  • zone transfers
  • whois lookup
  • reverse lookup
  • google scraping

• dnsenum --enum inlanefreight.com -f /usr/share/seclists/Discovery/DNS/subdomains-top1million-110000.txt -r

• Using ffuf

  • https://www.freecodecamp.org/news/web-security-fuzz-web-applications-using-ffuf/