Boost your subdomain enumeration

Nijat Mammadov
4 min readApr 13, 2023

--

Let’s get into the topic without delay. It’s known that most of the time pentesters use known tools like subfinder, crt.sh, amass, massdns, bruteforcer (f.e: ffuf, gobuster..), etc without knowing any additional configuration. In this article, I want to give you some salty tips. Did you ever think “So subdomain enum ends with just basic usage with tools?” or about “Applying API to them?”. If you don’t know what is API you must search it. But for now, we are going through how can we boost our subdomain enumeration phase with API configuration? (Believe me, you will feel the impact!)

1. Adding API and Using Amass

Believe me, you will feel the impact! First, we install the Amass config files from github (It looks like below image)

git clone https://github.com/owasp-amass/amass/blob/master/examples/config.ini

Then you have to configure it. Open the config.ini file then select the free search engine or other service names for API (Shodan, Censys, Hackerone..). Then remove the “#” symbol line which API you want to add like this:

Sometimes it needs a secret key as well, don’t worry the service gives it to you. It’s good to add API keys as much possible as. If you ask me, I use famous and more useful ones as I mentioned before in my test os.

After add keys, save it and start using like this:

If you don’t know about amass using, visit the github page (https://github.com/owasp-amass/amass). It has also “passive and active” enumeration and much more!

Passive: Gather information without direct interaction with the target. It is to say, obtaining publicly available information using things such as search engines, certificate information, social media postings, and even job postings. Active: Obtain information by directly interacting with the target.

2. Adding API and Using SubFinder

Subfinder is another best tool to enumerate subdomains. It’s also a product of projectdiscovery ❤. In basic usage, it searches passively with public information without additional API. But if you want to add API, follow me!

Go look for -> $HOME/.config/subfinder/provider-config.yaml

And that file’ll look like this. Add you API key into parenthesis. Then you can use it as always you do.

If you dont know about SubFinder using, check this (https://github.com/projectdiscovery/subfinder). This has a lot of features as well.

3. Bruteforce Efficiently

Well, this is a known process but it’ll be good to enumerate with ffuf tool and a good wordlist such as n0kovo_subdomains. Because ffuf is a more fast fuzzer than others. (https://github.com/n0kovo/n0kovo_subdomains).

But how can we use ffuf for subdomain enumeration?

In this stage, adding “-fc 404” can be a good thing because of reducing false results. Sometimes people remove “301” and others as well, but I don’t recommend using it, sometimes it returns other status codes but it works well.

4. Put it all together without duplicate

After you get different subdomains files, try to mix them uniquely. I use “anew” tool which is so simple and useful command. Just use it like this:

cat subdomain1.txt subdomain2.txt subdomain3.txt | anew allsubdomains.txt

and it will fetch all the subdomains without duplicate into allsubdomanis.txt file!

If you don’t want additional tool, use this:

cat subdomain1.txt subdomain2.txt subdomain3.txt | sort -u > allsubdomains.txt

Finally, thanks for reading till the end. If you have any additional tips, questions or need something about this I can help you gladly.

--

--