Powered by

# Subdomain / Virtual Host

# OSINT - SSL/TLS Certificates

When an SSL/TLS (Secure Sockets Layer/Transport Layer Security) certificate is created for a domain by a CA (Certificate Authority), CA's take part in what's called "Certificate Transparency (CT) logs". These are publicly accessible logs of every SSL/TLS certificate created for a domain name. The purpose of Certificate Transparency logs is to stop malicious and accidentally made certificates from being used.

We can use this service to our advantage to discover subdomains belonging to a domain, sites like https://crt.sh and https://transparencyreport.google.com/https/certificates offer a searchable database of certificates that shows current and historical results.

# OSINT - Search Engines

# Google

Search for subdomains and exclude www.

-site:www.mydomain.com site:*.mydomain.com

# OSINT - Tools

# Sublist3r 

./sublist3r.py -d mydomain.com

# TheHarvester 

theHarverster -d google.com -b google,twitter,linkedin,bing,yahoo,sublist3r

# DNS Bruteforce

# Dnsrecon 

dnsrecon -t brt -d mydomain.com
# /usr/share/wordlists/SecLists/Discovery/DNS/namelist.txt

# Knockpy 

knockpy google.com -w /usr/share/seclists/Discovery/DNS/shubs-stackoverflow.txt

# Virtual Hosts 

# GOBUSTER
gobuster vhost -w /usr/share/seclists/Discovery/DNS/subdomains-top1million-5000.txt -u http://shibboleth.htb

# FFUF
ffuf -w /usr/share/wordlists/SecLists/Discovery/DNS/namelist.txt -H "Host: FUZZ.mydomain.com" -u http://MACHINE_IP -fs {SIZE}

© Copyright 2024. Caue All rights reserved.