When approaching a target, having a precise and detailed plan of attack is absolutely necessary. One of the main goals is to increase the attack surface since the more opportunities there are for exploitation, the greater the chances of success. Subdomain enumeration is one method used to increase the attack surface, and we'll be using a tool called Subfinder to discover hidden subdomains.
Subdomain Enumeration Overview
Subdomain enumeration is an indispensable, often overlooked part of the reconnaissance phase. It is basically the process of finding subdomains for any given domain or set of domains. This enumeration can often reveal many subdomains that are hidden or not publicly exposed — plus the chance of finding vulnerabilities on forgotten resources is generally much higher than on those that are more frequently tended to.
Things like admin panels, staging sites, and other internal resources are often found living on subdomains of the target. The thought is, if it is not on the main site, then it can't be found — this couldn't be further from the truth. As we'll soon find out, it's trivial for attackers to uncover hidden subdomains, increasing the attack surface and potentially finding additional vulnerabilities or other juicy information.
There are a variety of methods that attackers use to enumerate subdomains of a target. One method utilizes certificate trust logs to mine information about available subdomains. This can be a stealthy approach, but the downside is sometimes not many results are returned.
An ..
Support the originator by clicking the read the rest link below.
