simplectf

SUBDOMAIN ENUMERATION USING SUBFINDER AND AMASS

15 July 2024







Introduction:

Subdomain enumeration is a crucial step in the process of assessing and securing web applications. By identifying and analyzing all subdomains associated with a target domain, security professionals can uncover potential vulnerabilities and entry points for malicious actors. This process helps to ensure that no hidden subdomains are overlooked during security assessments.

Subfinder and Amass are two powerful tools commonly used for subdomain enumeration. Each offers unique features and capabilities that, when used in conjunction, provide comprehensive and accurate results.

Subfinder

Subfinder is a fast and reliable subdomain discovery tool written in Go. It is designed to enumerate subdomains using passive online sources and is known for its speed and simplicity. Key features of Subfinder include:

  • Extensive Source Coverage: Subfinder integrates with a wide range of sources, including public archives, search engines, and various APIs, ensuring thorough subdomain discovery.

  • High Performance: Leveraging Go’s concurrency, Subfinder delivers high-speed results without compromising accuracy.

  • Ease of Use: The tool offers a straightforward command-line interface, making it accessible to both beginners and experienced security professionals.

To use Subfinder, simply run the following command:

$ subfinder -d example.com
$ subfinder -all -d domain-name -o output-filename1 -silent

Amass

Amass is another robust subdomain enumeration tool, known for its comprehensive approach and advanced capabilities. It uses both passive and active methods to discover subdomains, making it a versatile choice for thorough reconnaissance. Key features of Amass include:

  • Hybrid Enumeration: Amass combines passive data sources with active enumeration techniques, such as DNS queries and brute-forcing, to maximize subdomain discovery.

  • Graph Database: Amass employs a graph database to organize and visualize relationships between subdomains, IP addresses, and other relevant data.

  • Customization and Extensibility: The tool provides extensive configuration options and supports custom scripts, allowing users to tailor the enumeration process to their specific needs.

To use Amass, execute the following command:

$ amass enum -d example.com
$ amass enum -d domain-name | awk '$2 == "(FQDN)" {print $1}' > output-filename2

Combining Subfinder, Amass and Httpx

For the most effective subdomain enumeration, it is recommended to use Subfinder and Amass together. By combining the strengths of both tools, security professionals can achieve a more comprehensive and accurate understanding of the target domain’s subdomain landscape.

Now, to find live subdomains, we will use httpx.

cat outputfile | httpx -status-code -location -fc 404 -ss > finaloutputfile

Conclusion

In conclusion, subdomain enumeration using Subfinder and Amass is an essential practice for any security professional. By leveraging these powerful tools, organizations can enhance their security posture, identify potential vulnerabilities, and protect their web applications from malicious threats.