Conference notes: Esoteric subdomain enumeration techniques (LevelUp 2017)

default.png Hi, these are the notes I took while watching the “Esoteric subdomain enumeration techniques” talk given by Bharath Kumar on LevelUp 2017.

Common subdomain enumeration techniques:

  • Google dorking
  • Using specialized search engines like VirusTotal
  • Dictionary based enumeration
  • Subdomain bruteforce
  • ASN discovery

Esoteric subdomain enumeration techniques

  • Certificate transparency (CT)
  • DNSSEC zone walking
  • DNS zone transfer
  • Passive recon using public datasets

Certificate transparency


Zone walking NSEC

  • Zone walking using NSEC records is similar to DNS zone transfer
  • It extracts all subdomains of a given domain from its NSEC records
  • Tools:
    • ldns-walk
      • aptitude install ldnsutils (to install ldns-walk)
      • ldns-walk <target_domain>
      • ldns-walk @ns-server <target_domain>
    • dig
      • dig +short NSEC <target_domain> | awk '{print $1;}'

Zone walking NSEC3

  • Zone walking using NSEC3 records
  • Difference between NSEC & NSEC3:
    • NSEC3 records provide a signed gap of hashes of domain names
    • NSEC records provide a signed gap of domain names
  • Steps for NSEC3 zone walking:
    • Collect NSEC3 hashes of a domain
    • Crack the hashes offline
  • Tools:
    • nsec3walker
      • Installation:
          tar -xzf nsec3walker-20101223.tar.gz
          cd nsec3walker-20101223
      • Usage:
          ./collect >					# To collect hashes
          ./unhash < >				# To crack hashes
          cat | grep "icann" | awk '{print $2;}' | sed 's/\.$//'	# To extract subdomains found
          cat | grep "icann" | wc -l				# To get the number of subdomains found
    • nsec3map
    • Hashcat or JohnTheRipper (to crack the hashes)

DNS zone transfer

  • Tool:
    • dig
      • dig AXFR
  • Common in internal networks
  • Sometimes mitigations like IP-base filtering are used to restrict access to DNS zone transfer based on IPs. But this can be bypassed: On internal pentests, pretend to be the secondary nameserver by spoofing its IP address, initiate a zone transfer & sniff the zone data

Passive reconnaissance

Using public datasets

  • & Project Sonar by Rapid7 gather Internet wide scan data including port scans & DNS records
  • There are a lot of data sets (listed on &
  • E.g. Rapid7 Forward DNS
    • wget
  • Extract subdomains of a given domain from a gz file:
    • zcat <dataset_name> | jq -r 'if (.name | test("\\.example\\.com$")) then .name else empty end'

Using Cloudflare

See you next time!