Skip to content
New issue

Have a question about this project? # for a free GitHub account to open an issue and contact its maintainers and the community.

#

By clicking “#”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? # to your account

Jump to bottom

Get subdomains via additional recon (Search Engine, Alternative Sources) #33

Open
creolis opened this issue Jan 27, 2016 · 2 comments
Open

Get subdomains via additional recon (Search Engine, Alternative Sources) #33

creolis opened this issue Jan 27, 2016 · 2 comments

Comments

@creolis
Copy link

creolis commented Jan 27, 2016

This is more or less linked to #31, as it is just another idea to get
more hostnames during the recon process :)

Google and Bing:
Scrape Google and Bing using the site: modifier. Example: "site:foo.com"
Parse the result set for individual subdomains.

Also:

AXFR: maybe a Zone transfer is possible, which would result in a comprehensive list of returns and therefore you can back off from brute force and safe time at that point :)

DNSSEC aware zones could be prone to zone walking, which is another great way to get a list of hosts in a considerable amount of time.

A rather "active" approach (which involves direct connections) could be to access each found host on port 80, retrieve the standard vhost and the vhost you found and look if you get a HTTP 302 Redirection - it may include further hints to other subdomains.
@TheRook
Copy link
Owner

TheRook commented Jan 27, 2016

Subbrute tries an axfr against every authoritative ns record, because one
of the servers maybe misconfigured.

As for non-dns methods, the next major version will open the flood gates
for custom discovery.

On Wednesday, January 27, 2016, Daniel Haslinger notifications@github.com
wrote:

This is more or less linked to #31
#31, as it is just another
idea to get
more hostnames during the recon process :)

Google and Bing:
Scrape Google and Bing using the site: modifier Example: "site:foocom"
Parse the result set for individual subdomains

Also:

AXFR: maybe a Zone transfer is possible, which would result in a
comprehensive list of returns and therefore you can back off from brute
force and safe time at that point :)

DNSSEC aware zones could be prone to zone walking, which is another great
way to get a list of hosts in a considerable amount of time

A rather "active" approach (which involves direct connections) could be to
access each found host on port 80, retrieve the standard vhost and the
vhost you found and look if you get a HTTP 302 Redirection - it may include
further hints to other subdomains


Reply to this email directly or view it on GitHub
#33.

@creolis
Copy link
Author

creolis commented Jan 27, 2016

Ah :) Didn't realize it already does axfr because I did not see an option switch for that, but I must admit I didn't look at the sources yet. Next major will be exciting then :-)

# for free to join this conversation on GitHub. Already have an account? # to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@TheRook @creolis