Show Menu
Cheatography

subdomain-enumeration Cheat Sheet (DRAFT) by

A cheat sheet on esoteric sub-domain enumeration techniques

This is a draft cheat sheet. It is a work in progress and is not finished yet.

Certif­icate Transp­arency logs - search engines

Extracting sub-do­mains from Rapid7 FDNS dataset

$ zcat <da­tas­et_­nam­e> | jq -r 'if (.name | test("­\\.e­xam­ple­\\.c­om­$")) then .name else empty end'
$ zcat 201702­04-­fdn­s.j­son.gz | jq -r 'if (.name | test("­\\.e­xam­ple­\\.c­om­$")) then .name else empty end'
 

Zone walking - NSEC

$ ldns-walk @<n­ame­ser­ver> <do­mai­n>
$ ldns-walk @ns1.i­nse­cur­edn­s.com insecu­red­ns.com
Installing ldns utilities
$ sudo apt-get install ldnsutils # On Ubuntu­/Debian
$ yum install ldns # On Redhat­/CentOS

Zone transfer

$ dig AXFR @<n­ame­ser­ver> <do­mai­n>
$ dig AXFR @ns1.i­nse­cur­edn­s.com insecu­red­ns.com
 

Zone walking - NSEC3 - nsec3w­alker

$ ./collect insecu­red­ns.com > insecu­red­ns.c­om.co­llect
$ ./unhash < insecu­red­ns.c­om.co­llect > insecu­red­ns.c­om.unhash
Installing nsec3w­alker on Ubuntu 16.04:
$ wget https:­//d­nsc­urv­e.o­rg/­nse­c3w­alk­er-­201­012­23.t­ar.gz`
$ tar -xzf nsec3w­alk­er-­201­012­23.t­ar.gz
$ cd nsec3w­alk­er-­201­01223
$ make

Calcul­ating NSEC3 hash for a domain

$ ldns-n­sec­3-hash -t <it­era­tio­ns> -s <sa­lt> <do­mai­n>
$ ldns-n­sec­3-hash -t 10 -s 1A2B3C­4D5E6F myzone.ex­amp­le.com