A basic noob level guide for enumerating subdomains. Bash commands are missing in the ppt!

1. Enumerating Subdomains
Aadarsh

2. What is this about?
lMany a times it is a pain to figure out, how the hell
did he find this url to find the bug!
lDuring a professional security testing the phase is
called Reconnaissance.
lGetting as much additional information as
possible about the target.

3. What is DNS?
lDNS stands for domain name system
lDatabase responsible for storing all of the
information pertaining to IP addresses and domain
names
lBacked up by thousands of separate DNS servers
and stored on single root DNS servers

4. Lookup
lDatabase previously mentioned is called WHOis
database
lGive a domain name -> Get an IP Address (and if
possible other details) is a lookup

5. Reverse Lookup
lReverse DNS lookup is to obtain site registration
information of that IP address (if there is any)
lIf we type 216.58.197.46 into browser, we will be
redirected to the site.
lWell known stuffs!

6. lDiscovered hosts may be virtual web hosts on a
single web server
l(OR)
lMay be distinct hosts on IP addresses

7. Easy way!
lGoogle Dorks!
lSite:google.com -inurl:www
lThis are already automated and there are tools for
this. Example: recon-ng , a tool for
reconnaissance.

8. Subbrute
lA python script
lA sample result:
lThis brute forces the prefix

9. nmap
lnmap --script dns-brute --script-args dns-
brute.domain=facebook.com,dns-brute.threads=6
lnmap -p 80 --script dns-brute.nse facebook.com

10. Other ways
lNetcraft
lDnsrecon
lDNSenum
ldnscan

11. On a different note
lS3 bucket discovery a recent finding of mine.
lfor url in $(cat list.txt);do curl
$url.s3.amazonaws.com;done
l7 google's buckets were open.

12. lThank you!