One of the first critical steps in an organization’s attack surface assessment is subdomain enumeration. This process discovers all subdomains under a main domain, often revealing hidden, forgotten, or internal services that might be vulnerable.
In this guide, we expand on your initial methods and include additional powerful tools and techniques, using juice-shop.herokuapp.com (an intentionally vulnerable web app) and alternative domains like demo.testfire.net and www.webscantest.com for testing.
1. Certificate Transparency (CT) Logs – Passive Enumeration
CT logs publicly record all issued SSL/TLS certificates, including those for subdomains. Querying these logs provides subdomain info without direct network interaction.
Python example querying crt.sh:
import requests
def query_crt_sh(domain):
url = f"https://crt.sh/?q=%.{domain}&output=json"
response = requests.get(url)
try:
subdomains = [result['name_value'] for result in response.json()]
return list(set(subdomains))
except:
return []
subdomains = query_crt_sh("juice-shop.herokuapp.com")
print("Discovered Subdomains via CT Logs:")
for sub in subdomains:
print(sub)Output for this single-instance app may be limited but for larger domains it yields many results.
Other CT sources worth checking:
- Censys.io (search certificates)
- Facebook’s CT tools
- Google Transparency Report
2. Dictionary Brute-Force with Sublist3r
Sublist3r uses a keyword list of common subdomains and multiple OSINT sources (search engines, VirusTotal, crt.sh, etc.) to enumerate subdomains.
Installation & usage:
git clone https://github.com/aboul3la/Sublist3r.git
cd Sublist3r
pip install -r requirements.txt
python sublist3r.py -d juice-shop.herokuapp.comSample output (hypothetical):
[*] Enumerating subdomains for juice-shop.herokuapp.com
[-] Subdomains found:
admin.juice-shop.herokuapp.com
dev.juice-shop.herokuapp.com
api.juice-shop.herokuapp.com3. OSINT with Google Dorks
Google’s advanced search operators can reveal subdomains indexed publicly.
Sample Google dork:
site:*.juice-shop.herokuapp.com -site:juice-shop.herokuapp.comCheck results for any staging, test, or API subdomains.
4. OWASP Amass – Comprehensive Enumeration
Amass is a powerful open-source tool that combines passive data from multiple sources with active DNS probing and brute-forcing. It supports API integrations (VirusTotal, Shodan, Censys) and provides detailed reporting.
Usage example:
amass enum -d juice-shop.herokuapp.com -o amass_results.txtYou can use passive only with -passive flag or active scanning for more subdomains.
5. Subfinder – Fast OSINT Enumeration
Subfinder, by ProjectDiscovery, is another popular automated tool that aggregates subdomain data from a variety of passive sources with good output formatting.
Example:
subfinder -d juice-shop.herokuapp.com -o subfinder_output.txt6. DNS Resolver Brute-Force Tools
In addition to Sublist3r, tools like massdns and dnsenum can brute-force subdomains by querying large wordlists against DNS with resolvers optimized for speed.
- Massdns example:
massdns -r resolvers.txt -t A -o S -w massdns_results.txt wordlist.txt7. Recon-ng – Modular Recon Framework
Recon-ng offers modules for subdomain enumeration via various APIs and passive sources, with an interactive console like Metasploit.
Quick usage:
recon-ng
> marketplace install subdomains-hosts
> modules load recon/domains-hosts/bing_domain_web
> set SOURCE juice-shop.herokuapp.com
> runBest Practices & Additional Tips
- Combine multiple methods and tools for comprehensive coverage.
- Always verify discovered subdomains with
ping,nslookup, orcurlto check if they resolve and respond. - Respect legal boundaries and scope — avoid unintentional attacks and abide by
robots.txtand authorization constraints. - For more extensive environments, tools like Assetfinder, Knockpy, and Findomain offer efficient subdomain harvesting.
- Use API keys (where available) for enhanced enumeration with services like VirusTotal, Censys, Shodan, etc.
Testing Targets Suggestions
- juice-shop.herokuapp.com: Great for hands-on practice with OWASP Juice Shop.
- demo.testfire.net: Classic vulnerable banking web app with multiple subdomains.
- www.webscantest.com: Designed for web security tool testing.
- zero.webappsecurity.com: Practice environment from OWASP WebGoat project.
With these additional tools and tips, you have a more complete arsenal for effective subdomain enumeration, a crucial initial step in footprinting and attack surface management in penetration testing.
Happy hunting! 🚀
