Subdomain Scanner
Find Subdomains and Systems Exposed to Web Attacks
Find Subdomains and Systems Exposed to Web Attacks
Contents of the Report
- Discovered subdomains and their IP addresses
- Network information
- Access to the HTTP server when the subdomain name is clicked
Use Cases for Subdomain Scanner
Find all subdomains with the Subdomain Scanner. By using the tool, organizations get to have an overview of their web assets because the Subdomain Scanner will be able to detect the server version of a particular subdomain without having to wait for too long as other tools do.
Subdomain Scanner provides the organization with insight on which server version should be updated to the latest version in order to countermeasure an attack before it is attempted by an attacker.
The Subdomain Scanner allows organization to find out where an attacker might launch a web attack by conducting information gathering on a target website located on another subdomain, which might be less secure from the main site. Development, test, backup and other lesser-known web applications are usually an easy entry point for attackers.
Thus, the Subdomain Scanner lets organizations view the same information from an attacker’s perspective. For example, organizations can use the tool to identify which subdomains are returning the server/software banner that contains service name and version. This will help the developer to fix the issue on the web server by configuring the particular web server not to provide any banner when scanned by the attacker.
Having lots of web applications might lead the organization to overlook websites it owns. Performing a scan via Subdomain Scanner allows the organization to check whether its ‘official’ list of web assets exposed to the Internet corresponds with reality.
Thus, the organization can determine and decommission any website that is unnecessary and should no longer be accessed publicly. Having legacy systems and unmaintained websites on the Internet might give attackers the chance to breach into the web server and steal any sensitive data without the knowledge of the organization.
Technical Details
When a web developer wants to uncover vulnerabilities, subdomain enumeration can reveal a lot of hidden or forgotten subdomains. Most organizations will have multiple subdomains that serve different purposes according to the business process of the organization itself.
For instance, some organizations could have different admin and customer portals that might be accessed publicly via URL, such as admin.example.com or customer.example.com. Sometimes, an organization might even have a hidden repository portal, such as repo.example.com, that could be less secure and contain sensitive information.
The Subdomain Scanner has two types of scans, which are Quick Scan and Full Scan.
What services are available under Quick Scan?
Quick Scan performs DNS resolution on the record and enumerates DNS.
What services are available under Full Scan?
Full Scan performs all the services of Quick Scan but with additional capabilities
- Check certificate transparency
- Check HTML links
- Analyse SSL certificates
- Gather data from Google and Bing search engines
- Perform Rapid7 Project Sonar
- Perform reverse DNS enumeration
- Conduct Smart DNS search
| Test Performed | Quick | Full |
|---|---|---|
| Quick Scan performs DNS resolution on the record and enumerates DNS. |
|
|
| Check for any known vulnerabilities on the server |  |
|
| Check certificate transparency |
|
|
| Check HTML links |
|
|
| Analyse SSL certificates |
|
|
| Gather data from Google and Bing search engines |
|
|
| Perform Rapid7 Project Sonar |
|
|
| Perform reverse DNS enumeration |
|
|
| Conduct Smart DNS search |
|
How it works?
A target domain name is the parameter to be scanned by the Subdomain Scanner. The tool uses multiple techniques to discover subdomains such as:
Gathering the DNS Records (NS, MX, TXT, AXFR)
DNS Records consist of the IP address associated to each subdomain. Therefore, this tool will try to request DNS Zone Transfer of the target to gather all the records from the DNS server.
Performing DNS enumeration based on a specially chosen wordlist
The wordlist contains all the common name of subdomains that is usually used. The tool will brute-force the subdomain by trying each name listed on the wordlist one by one to see if any of the list returns a response when requested.
Querying on public search engines
The Subdomain Scanner will run queries on public search engines, such as Google or Bing, and gain the subdomains based on the results. For instance, if we type “site:example.com” on Google Search, we may find any associated subdomains in the search results.
Applying word mutation techniques
The tool will mutate the common name of subdomain by changing some of the letters within the wording or by changing the order of the subdomain name.
Searching in SSL certificates
Websites that use wildcard SSL certificates allow this tool to find the associated subdomain. By scanning the SSL certificate, the tool will be able to gather the subdomains that use the same wildcard SSL certificate.
Parsing HTML links
This tool performs website crawling on the target domain to find if any HTML links (href) are pointing to another hostname instead of the same hostname. For example, www.example.com might have an HTML link to admin.example.com. However, this technique will only find the subdomain if it is inside the HTML href attribute.
Reverse DNS lookup on target IP ranges
The Subdomain Scanner will perform reverse DNS lookup on the target IP ranges to find the subdomains that might be residing on the target IP range and get the subdomains through the PTR record in the DNS.
