قالب وردپرس درنا توس
Home / Tips and Tricks / How to write your own subdomain enumeration script for better reconstruction «Null Byte :: WonderHowTo

How to write your own subdomain enumeration script for better reconstruction «Null Byte :: WonderHowTo



There are tons of tools available that do all kinds of exploration, but it can be difficult to determine what to use. A great way to be more efficient is to use scripts. This doesn’t mean you have to write everything from scratch – it can simply mean integrating existing tools into a single, comprehensive script. Fortunately, it’s easy to create your own subdomain enumeration script for better reconstruction.

Step 1: Install Dependencies

Before we get started, there are a few things we need to install and set up for everything to work properly. First, make sure Go and Subfinder are installed on the system. Second, we̵

7;ll use a tool called assetfinder for additional subdomain recognition; we can get the latest release from GitHub with:

~# wget https://github.com/tomnomnom/assetfinder/releases/download/v0.1.0/assetfinder-linux-amd64-0.1.0.tgz

--2021-04-28 15:00:12--  https://github.com/tomnomnom/assetfinder/releases/download/v0.1.0/assetfinder-linux-amd64-0.1.0.tgz
Resolving github.com (github.com)... 140.82.114.4
Connecting to github.com (github.com)|140.82.114.4|:443... connected.
HTTP request sent, awaiting response... 302 Found
Location: https://github-production-release-asset-2e65be.s3.amazonaws.com/193392376/6e64a200-d33f-11e9-9d79-2165e6e68bb1?X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-Credential=AKIAIWNJYAX4CSVEH53A%2F20210428%2Fus-east-1%2Fs3%2Faws4_request&X-Amz-Date=20210428T200012Z&X-Amz-Expires=300&X-Amz-Signature=3704ee96ec028f1ac8de3a3af870351ff434bdbd1150e3893a2cd02d43113b71&X-Amz-SignedHeaders=host&actor_id=0&key_id=0&repo_id=193392376&response-content-disposition=attachment%3B%20filename%3Dassetfinder-linux-amd64-0.1.0.tgz&response-content-type=application%2Foctet-stream [following]
--2021-04-28 15:00:12--  https://github-production-release-asset-2e65be.s3.amazonaws.com/193392376/6e64a200-d33f-11e9-9d79-2165e6e68bb1?X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-Credential=AKIAIWNJYAX4CSVEH53A%2F20210428%2Fus-east-1%2Fs3%2Faws4_request&X-Amz-Date=20210428T200012Z&X-Amz-Expires=300&X-Amz-Signature=3704ee96ec028f1ac8de3a3af870351ff434bdbd1150e3893a2cd02d43113b71&X-Amz-SignedHeaders=host&actor_id=0&key_id=0&repo_id=193392376&response-content-disposition=attachment%3B%20filename%3Dassetfinder-linux-amd64-0.1.0.tgz&response-content-type=application%2Foctet-stream
Resolving github-production-release-asset-2e65be.s3.amazonaws.com (github-production-release-asset-2e65be.s3.amazonaws.com)... 52.217.46.132
Connecting to github-production-release-asset-2e65be.s3.amazonaws.com (github-production-release-asset-2e65be.s3.amazonaws.com)|52.217.46.132|:443... connected.
HTTP request sent, awaiting response... 200 OK
Length: 3739744 (3.6M) [application/octet-stream]
Saving to: ‘assetfinder-linux-amd64-0.1.0.tgz’

assetfinder-linux-amd64-0.1.0.tgz         100%[=====================================================================================>]   3.57M  1.78MB/s    in 2.0s

2021-04-28 15:00:14 (1.78 MB/s) - ‘assetfinder-linux-amd64-0.1.0.tgz’ saved [3739744/3739744]

And use it tar to extract the binary file:

~# tar xzf assetfinder-linux-amd64-0.1.0.tgz

Then move assetfinder to a folder in our path:

~# mv assetfinder /usr/local/bin/

Third, we need a tool called HTTPprobe that allows us to filter live hosts in our results. Grab the release of GitHub with:

~# wget https://github.com/tomnomnom/httprobe/releases/download/v0.1.2/httprobe-linux-amd64-0.1.2.tgz

--2021-04-28 15:05:40--  https://github.com/tomnomnom/httprobe/releases/download/v0.1.2/httprobe-linux-amd64-0.1.2.tgz
Resolving github.com (github.com)... 140.82.114.4
Connecting to github.com (github.com)|140.82.114.4|:443... connected.
HTTP request sent, awaiting response... 302 Found
Location: https://github-production-release-asset-2e65be.s3.amazonaws.com/80510806/d4c97700-afc2-11e9-9a18-8f50cc10ac23?X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-Credential=AKIAIWNJYAX4CSVEH53A%2F20210428%2Fus-east-1%2Fs3%2Faws4_request&X-Amz-Date=20210428T200541Z&X-Amz-Expires=300&X-Amz-Signature=35781254f155f3fd67a026f17035c7fa9f0124feed26e08a305266c73eff08f0&X-Amz-SignedHeaders=host&actor_id=0&key_id=0&repo_id=80510806&response-content-disposition=attachment%3B%20filename%3Dhttprobe-linux-amd64-0.1.2.tgz&response-content-type=application%2Foctet-stream [following]
--2021-04-28 15:05:41--  https://github-production-release-asset-2e65be.s3.amazonaws.com/80510806/d4c97700-afc2-11e9-9a18-8f50cc10ac23?X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-Credential=AKIAIWNJYAX4CSVEH53A%2F20210428%2Fus-east-1%2Fs3%2Faws4_request&X-Amz-Date=20210428T200541Z&X-Amz-Expires=300&X-Amz-Signature=35781254f155f3fd67a026f17035c7fa9f0124feed26e08a305266c73eff08f0&X-Amz-SignedHeaders=host&actor_id=0&key_id=0&repo_id=80510806&response-content-disposition=attachment%3B%20filename%3Dhttprobe-linux-amd64-0.1.2.tgz&response-content-type=application%2Foctet-stream
Resolving github-production-release-asset-2e65be.s3.amazonaws.com (github-production-release-asset-2e65be.s3.amazonaws.com)... 52.217.44.212
Connecting to github-production-release-asset-2e65be.s3.amazonaws.com (github-production-release-asset-2e65be.s3.amazonaws.com)|52.217.44.212|:443... connected.
HTTP request sent, awaiting response... 200 OK
Length: 3555994 (3.4M) [application/octet-stream]
Saving to: ‘httprobe-linux-amd64-0.1.2.tgz’

httprobe-linux-amd64-0.1.2.tgz            100%[=====================================================================================>]   3.39M  1.61MB/s    in 2.1s

2021-04-28 15:05:43 (1.61 MB/s) - ‘httprobe-linux-amd64-0.1.2.tgz’ saved [3555994/3555994]

Extract the binary file:

~# tar xzf httprobe-linux-amd64-0.1.2.tgz

And move it to a folder in our path:

~# mv httprobe /usr/local/bin/

Fourth, we need to configure a few things for Go. First create a directory called To go:

~# mkdir /usr/local/go

Use the following command to set the GOPATH environment variable:

~# go env -w GOPATH=/usr/local/go

We can confirm that we have set it up correctly:

~# go env GOPATH

/usr/local/go

Then we have to add GOPATH to our path. Use the following command to edit the / bin directory if it doesn’t already exist:

~# export PATH=$PATH:$(go env GOPATH)/bin

Then we can make our changes permanent by adding the configuration to us .bashrc File:

~# echo 'export GOPATH=/usr/local/go' >> ~/.bashrc

Use the following command to source the file so that it becomes persistent:

~# . ~/.bashrc

Finally, we need a tool called Subjack; we’ll get into what this tool does later, but for now, we can install it with the go get it order:

~# go get github.com/haccer/subjack

That will automatically install it in our GOPATH and make it ready for use. And that should be all we need, so let’s start with our script now.

Step 2: Run the script

To get started, create a script and open it with your favorite text editor:

~# nano subrecon.sh

The first line we need, called a shebang or hashbang, refers to the system’s interpreter. This tells the system how to execute the file; in this case it’s a Bash script:

#!/bin/bash

Next, we will make sure that the user provides input to the script, and if not, a usage preview will print and exit. Use a conditional if-then block:

if [ -z $1 ]
then
        echo './subrecon.sh '
        exit 1
fi

The $ 1 is the argument passed to the script, and the -with option returns true if the string is null. So basically this says if no argument is provided then the usage will be displayed and closed. The argument we’ll pass is a list of domains.

Step 3: List the subdomains

The first action our script will take is to enumerate subdomains:

echo 'FINDING SUBDOMAINS...'

while read $line
do
        for var in $line
        do
                echo 'enumerating:' $var

                subfinder -silent -d $var > out1
                cat out1 >> subs1

                assetfinder -subs-only $var > out2
                cat out2 >> subs2

                rm out1 out2
        done
done < $1

This will use a while loop to read input from our domain list file, use a variable to display the current domain being listed, and collect results from both Subfinder and Assetfinder.

The next section combines the results, removes any duplicates, and saves the output in a file named all_subs:

sort -u subs1 subs2 > all_subs
rm subs1 subs2
echo 'saved subdomains to all_subs'

Step 4: Determine live hosts

The next part of the script will determine which hosts from the previous results are live. This is extremely useful to reduce the time it takes to go through everything, as hosts that are down are usually not interesting.

This takes the list of subdomains and uses HTTPprobe to filter out live hosts and save the results in a file called live_subs:

echo 'FINDING LIVE HOSTS...'

cat all_subs | httprobe > live_subs
echo 'saved live hosts to live_subs'

Step 5: Test for subdomain inheritance

Subdomain acquisition is the process of registering a domain name in order to gain control over another domain. This happens when a host, usually a subdomain, points to a service that is no longer in use. The most common scenario is when a subdomain points to another domain, the DNS record expires, and the domain is available to be registered by someone else. Anyone who can successfully register the domain now has full control over the subdomain.

In some cases, this type of attack is not possible due to authentication methods, but you will be surprised how many services are vulnerable to subdomain takeover. Amazon S3 buckets, GitHub pages, Heroku, Shopify, and Microsoft Azure are all susceptible to this attack in one form or another.

Subjack is a handy tool that tests a list of subdomains for possible inheritance. Here we use the -w flag for an input file and the -a flag to send requests to any URL:

echo 'CHECKING FOR SUBDOMAIN TAKEOVER...'

subjack -w all_subs -a

echo 'DONE'

If something in our list is vulnerable to subdomain inheritance, the results will be displayed on the screen along with the corresponding service.

Step 6: View the script

The final script should look something like this:

#!/bin/bash

if [ -z $1 ]
then
        echo './subrecon.sh '
        exit 1
fi

echo 'FINDING SUBDOMAINS...'

while read line
do
        for var in $line
        do
                echo 'enumerating:' $var

                subfinder -silent -d $var > out1
                cat out1 >> subs1

                assetfinder -subs-only $var > out2
                cat out2 >> subs2

                rm out1 out2
        done
done < $1

sort -u subs1 subs2 > all_subs
rm subs1 subs2
echo 'saved subdomains to all_subs'

echo 'FINDING LIVE HOSTS...'

cat all_subs | httprobe > live_subs
echo 'saved live hosts to live_subs'

echo 'CHECKING FOR SUBDOMAIN TAKEOVER...'

subjack -w all_subs -a

echo 'DONE'

Now is the time to test it out. Save the script and make it executable:

~# chmod +x subrecon.sh

And run it, with a list of domains to list:

~# ./subrecon.sh domains.txt

FINDING SUBDOMAINS...
enumerating: wonderhowto.com
saved subdomains to all_subs
FINDING LIVE HOSTS...
saved live hosts to live_subs
CHECKING FOR SUBDOMAIN TAKEOVER...
DONE

This is a good start, but the great thing about this script is that it can be easily expanded. Anything useful for reconstruction, especially subdomain reconstruction, can be added to make the enumeration process unique.

Shut down

In this tutorial, we learned how to write our own subdomain enumeration script in Bash. First we installed some dependencies and got to work with our script. We then used Subfinder and Assetfinder to discover subdomains and combine the results, and filtered out live hosts with HTTPprobe. Finally, we used Subjack to check for possible subdomain inheritance.

Do you want to earn money as a white hat hacker? Jump-start your hacking career with our 2020 Premium Ethical Hacking Certification Training Bundle from the new Null Byte Shop and get over 60 hours of training from cybersecurity professionals.

Buy now (90% discount)>

Other worthwhile deals to check out:

Cover photo by Christina Morillo / Pexels

Source link