In this article we will be covering the topic, “Brute Forcing Subdomains” by telling you about it and showing few examples on how it can be done.

Before we jump into the topic, If you are looking for labs to test your skills with Account takeover. You can get a hands on experience from the labs we offer at BePractical.tech for free! Yes, that’s right, you don’t need to pay a single penny to educate yourself and improve your skills. Head over to the labs and show us how you did it by sharing your experience on linkedin @bepracticaltech

Account takeover labs link: https://bepractical.tech/account-takeover-labs/

Introduction:

Enumerating subdomains is essential for finding weaknesses in web applications. Finding subdomains and checking them for vulnerabilities frequently involves brute forcing them. In this article, we’ll go through how to use Recon-ng in Kali Linux and a Python script to brute force subdomains.

What is Brute Forcing?

Brute forcing is a technique used to identify potential vulnerabilities in a system. It involves attempting to guess usernames and passwords to gain unauthorized access. This technique is effective against weak passwords and can be automated to attempt thousands of password combinations in a matter of seconds.

Understanding Subdomain Brute Force:

Subdomain brute force is the technique of guessing and testing various combinations of subdomain names in order to find subdomains of a target domain. An example of a subdomain is subdomain.target.com, where “subdomain” refers to the subdomain of the “target.com” domain.

Is “Subdomain Brute forcing” same as “Subdomain Scraping”?

Do not mix up these two procedures because they have similar sounds. Subdomain brute-forcing involves guessing subdomains by repeatedly attempting or assuming different combinations of terms, whereas subdomain scraping just involves looking for subdomains by gathering data from publically available data sources.

How to Brute Force Subdomains?

There are various ways of brute forcing sub domains, we will cover two methods. Firstly we will be using a tool called ReconNg which is used everyday by bug bounty hunters to perform reconnaissance / OSINT. Secondly, we will be writing a simple python script that can be used for the same.

Method 1: “Recon-ng”

Recon-ng is an open-source reconnaissance framework that can be used for subdomain brute-forcing.

Below are the steps to perform subdomain brute-forcing with Recon-ng on kali linux:

  • Recon-ng comes preinstalled with Kali Linux, but if you do not have it, you can download it and then launch it by typing the below in the terminal :
    • sudo apt install recon-ng
    • recon-ng
  • Now, search for the “Brute Hosts” module in recon-ng and install the same by following the steps :
    • marketplace search brute

      marketplace install "brute_hosts"
  • Now, load the downloaded “brute_hosts” module:
    If you are unable to find the exact name of downloaded module, use “modules search” command to lookup all the downloaded modules.
    • modules search
      modules load brute_hosts
  • Next, we need to set the source address of website for which you want to brute force subdomains.
    Follow the below steps to set the address:
    • options set SOURCE "domainname.com"

      If you want to check the domain set, use the command options list to list down the domains set.
  • Additionally, if you want to use your own wordlist instead of the default one, you can do so by doing the following :
    • options set WORDLIST "Path of .txt file"
  • Once you are done with setting the source and wordlist, just put the command run and wait for the results.
    You can find the subdomains that exist highlighted in green.
  • You can type the command show hosts, this will display a list of the subdomains that were found during the brute force.
    [recon-ng][example.com] > show hosts

Method 2: Using Python script

Below is a basic python code that can be used to perform subdomain brute forcing.

import dns.resolver
import requests

target_domain = "example.com"
wordlist_path = "wordlist.txt"

def test_subdomain(subdomain):
    try:
        dns.resolver.query(f"{subdomain}.{target_domain}")
        print(f"[+] Found subdomain: {subdomain}.{target_domain}")
    except:
        pass

def main():
    with open(wordlist_path, "r") as wordlist:
        for line in wordlist:
            subdomain = line.strip()
            test_subdomain(subdomain)

if __name__ == "__main__":
    main()

The above code checks whether a subdomain exists by making a DNS query using the dns.resolver module. Specifically, it uses the query function to query the DNS server for the subdomain name appended to the target domain name. If the DNS server returns a valid response for the query, then the subdomain is assumed to exist.

To use this code, simply replace the target_domain variable with the domain you have permission to test, and replace the wordlist_path variable with the path to your wordlist file. Save the code as a Python file and run it on the command line using python <filename>.py.

Note that we can write the same code without using if statement to check if the DNS response contains any answers. But then it can only catch the cases where the subdomain does not exist. If there are any other errors (such as DNS server issues), the program will crash. So it’s important to handle exceptions appropriately if you want a more robust program. So, it is recommended to use try/except block to handle exceptions when a subdomain is not found.

It is important to note that subdomain brute-forcing can cause high traffic on the target domain’s DNS server or web server, and it may also violate the terms of service of the target domain. It is crucial to perform subdomain brute-forcing only on domains that you have permission to test and to use the technique ethically and responsibly.

Conclusion

Subdomain brute forcing is a powerful technique used to discover hidden web resources that may be vulnerable to attack. It’s important to use it responsibly and organizations should regularly monitor and secure their subdomains to prevent potential attackers from compromising their sensitive data.

These are just few methods to perform bruteforce subdomains, the same thing can be performed using different tools and techniques. Sublist3r, DNSRecon, TheHarvester, Amass are other few tools that can be used to Brute force subdomains.

What next?
If you want to learn about how to perform “Subdomain Takeover”, head over to the following article by Asif Pathan, to increase your knowledge :
https://bepractical.tech/subdomain-takeover/

Suggestions are appreciated, comment down below how we can improve the platform and spread knowledge more effectively.