Sponsored by

Conference notes: Esoteric subdomain enumeration techniques (LevelUp 2017)

Posted in Conference notes on April 25, 2018

Conference notes: Esoteric subdomain enumeration techniques (LevelUp 2017)

Hi, these are the notes I took while watching the “Esoteric subdomain enumeration techniques” talk given by Bharath Kumar on LevelUp 2017.

Common subdomain enumeration techniques:

  • Google dorking
  • Using specialized search engines like VirusTotal
  • Dictionary based enumeration
  • Subdomain bruteforce
  • ASN discovery

Esoteric subdomain enumeration techniques

  • Certificate transparency (CT)
  • DNSSEC zone walking
  • DNS zone transfer
  • Passive recon using public datasets

Certificate transparency


Zone walking NSEC

  • Zone walking using NSEC records is similar to DNS zone transfer
  • It extracts all subdomains of a given domain from its NSEC records
  • Tools:
    • ldns-walk
      • aptitude install ldnsutils (to install ldns-walk)
      • ldns-walk <target_domain>
      • ldns-walk @ns-server <target_domain>
    • dig
      • dig +short NSEC <target_domain> | awk '{print $1;}'

Zone walking NSEC3

  • Zone walking using NSEC3 records
  • Difference between NSEC & NSEC3:
    • NSEC3 records provide a signed gap of hashes of domain names
    • NSEC records provide a signed gap of domain names
  • Steps for NSEC3 zone walking:
    • Collect NSEC3 hashes of a domain
    • Crack the hashes offline
  • Tools:


wget https://dnscurve.org/nsec3walker-20101223.tar.gz
tar -xzf nsec3walker-20101223.tar.gz
cd nsec3walker-20101223


./collect icann.org > icann.org.collect					# To collect hashes
./unhash < icann.org.collect > icann.org.unhash				# To crack hashes
cat icann.org.unhash | grep "icann" | awk '{print $2;}' | sed 's/\.$//'	# To extract subdomains found
cat icann.org.unhash | grep "icann" | wc -l				# To get the number of subdomains found


Hashcat or JohnTheRipper (to crack the hashes)

DNS zone transfer

  • Tool:
    • dig
      • dig AXFR @ns1.iitk.ac.in. iitk.ac.in
  • Common in internal networks
  • Sometimes mitigations like IP-base filtering are used to restrict access to DNS zone transfer based on IPs. But this can be bypassed: On internal pentests, pretend to be the secondary nameserver by spoofing its IP address, initiate a zone transfer & sniff the zone data

Passive reconnaissance

Using public datasets

  • Scans.io & Project Sonar by Rapid7 gather Internet wide scan data including port scans & DNS records
  • There are a lot of data sets (listed on https://scans.io & https://opendata.rapid7.com
  • E.g. Rapid7 Forward DNS
    • wget https://opendata.rapid7.com/sonar.fdns_v2/2018-03-31-1522483201-fdns_any.json.gz
  • Extract subdomains of a given domain from a gz file:
    • zcat <dataset_name> | jq -r 'if (.name | test("\\.example\\.com$")) then .name else empty end'

Using Cloudflare

See you next time!