SUBDOMAINS#

beneath the surface of domain(example.com) lies a potential network of subdomains. these subdomains are extension of main domain. example mail.example.com

Why is this important for web reconnaissance?#

subdomains often host valuable information and aren’t directly connected to main domain

• Development and Staging Environments: before releasing subdomain on the main site company test it. this site sometimes lack full security protection, making it easier to exploit or gain information
• Hidden Login Portals: admin login pages and other secure sections of a website might be hidden on subdomain.
• Legacy Applications: legacy applications might exist in subdomain which is not in use or not maintained. here security flaw could exist
• Sensitive Information: accidentally company will keep some sensitive files in the subdomain which could provide useful information

Subdomain Enumeration#

Subdomain enumeration is process of finding the subdomain of a domain. it uses A(or AAA) record for IP mapping and CNAME records for aliases method includes passive and active (collecting data). this helps to identify hidden or vulnerability system

1. Active Subdomain Enumeration

it involves directly querying DNS to find its subdomain. One method is DNS zone transfer, which can leak list of subdomain if system is mis-configured though it is rare. A common approach is brute-force enumeration, where tools like dnsenum, ffuf, and gobuster automatically test subdomain using wordlists

1. Passive Subdomain Enumeration

information is gathered from external resources without querying DNS directly. Method includes searching Certificate Transparency (CT) logs, where it list subdomains, using search engine with specialized operator like site: to filter for subdomain and consulting online DNS database that contain subdomain data. it is stealthier that active subdomain enum.

• combining info from both enumeration give full result of subdomain