During web penetration testing we need to collect a lot of information related to our target website/webapp. There are lot of things to to in our some previous articles we mention them. Sub-domain finding is one of them. There are many subdomains may contains some valuable/juicy information for us.

In our some previous articles we already discussed about some subdomain discovery tools, but in this article are going to use an faster sub-domain finder tool named SubFinder. SubFinder is a subdomain discovery tool that discovers valid subdomains for websites by using passive online sources. It has a simple modular architecture and is optimized for speed. SubFinder is built for doing one thing only – passive subdomain enumeration, and it does that very well.

SubFinder is written in Go Language and comes with Kali Linux repository. We can easily install it by using following command:

sudo apt install subfinder

The above command may prompt for sudo password, after providing our sudo password it will start downloading SubFinder. The tool is not large can be installed in some seconds with a decent internet connection, as we can see in the following screenshot:

In the above screenshot we can see our required tool SubFinder is installed successfully. Let we check it’s helps by simply using following command:

subfinder -h

In the following screenshot we can see the help options of SubFinder.

We can start discovering subdomains of our target website by using SubFinder. For an example we are going to check the subdomains of hackerone.com, so we will use the following command:

subfinder -d hackerone.com

In the following screenshot we can see that SubFinder is collecting subdomains of hackerone.com.

There are lots of options in the SubFinder tool, as we have seen on the help option. To save the output on a file we can use -o flag.

subfinder -d hackerone.com -o hackerone.txt

The above command will save our list of discovered subdomains on our mentioned file, as we can see in the following screenshot:

We can also use –all flag to use all sources, but it will be slow for enumeration.

This is very helpful for cybersecurity researchers because sometimes the website developers just not show the older and not using subdomains, as we know older things have a good chance to be vulnerable.

This is how we can discover hidden subdomains of a website using SubFinder on our Kali Linux system.

Love our articles? Make sure to follow us on Twitter and GitHub, we post article updates there. To join our KaliLinuxIn family, join our Telegram Group. We are trying to build a community for Linux and Cybersecurity. For anything we always happy to help everyone on the comment section. As we know our comment section is always open to everyone. We read each and every comment and we always reply.

During penetration testing of a website or web application we must need to gather information as much as we can about our target. Gathering DNS information is also must be do for a security expert.

In today’s article we are going to cover dnsX, it’s a tool created by projectdiscovery. It is a fast and multi-purpose DNS toolkit allow to run multiple DNS queries of our choice with a list of user-supplied resolvers. It also supports DNS wildcard filtering like shuffledns. We will learn about installing dnsX on our Kali Linux system and use it.

Key Features of dnsX

• Simple and Handy utility to query DNS records.
• A, AAAA, CNAME, PTR, NS, MX, TXT, SOA query support.
• DNS Resolution / Brute-force support.
• Custom resolver input support.
• Multiple resolver format (TCP/UDP/DOH/DOT) support.
• stdin and stdout support.
• Automatic wildcard handling support.

Installing dnsX on Kali Linux

After 2022.1 update of Kali Linux dnsX is added to Kali Linux repository, so the  installation will be hassle-free, we just need to run the following one liner command on our terminal:

sudo apt install dnsx -y

In the following screenshot we can see the output of the above command:

Done! dnsX is successfully installed on our Kali Linux system.

Using dnsX on Kali Linux

Let’s start with the help section of dnsX tool. To check the options we run the following command:

dnsx -h

In the following screenshot we can see the help options of dnsX tool:

Now let’s start using it with an example, here we have a list of subdomains we can run the following command to check for active subdomains:

dnsx -l path/to/subdomains.txt

let’s suppose we found some subdomains using Subfinder, now we can easily check for active subdomains from the list of passive subdomains we got from various sources. Following command will be an example:

subfinder -silent -d hackthissite.org | dnsx -silent

In the above command we used -silent flag to keep our terminal clean. The command will take some time to collect all the data. We can see the output of the above command in the following screenshot:

Also dnsX can be used to print A records, for an example:

subfinder -silent -d hackthissite.org | dnsx -silent -a -cname -resp

In the following screenshot we can see the A records with the subdomains:

Also it can extract only the A records. To do so we run the following command:

subfinder -silent -d hackthissite.org | dnsx -silent -a -resp-only

Now it will extract A records only, as we can see in the following screenshot:

dnsX can be used to extract CNAME records, for an example:

subfinder -silent -d hackthissite.org | dnsx -silent -cname -resp

We can see the output in the following screenshot:

We can see the dns status codes by using dnsX tool, as we did in the following command:

subfinder -silent -d hackthissite.org | dnsx -silent -rcode noerror,servfail,refused

Following screenshots shows the output of the applied command:

This dnsX tool also can perform bruteforce subdomains for given domain or list of domains using -d and -w flag, for example we can check this.

Extra Talks

1. By default, dnsx checks for A record.
2. By default, dnsx uses Google, Cloudflare, Quad9 resolver.
3. Custom resolver list can be used using -r flag.
4. Domain name (-wd) input is mandatory for wildcard elimination.
5. DNS record flag can not be used when using wildcard filtering.
6. DNS resolution (-l) and DNS Bruteforcing (-w) can’t be used together.

This is how we can use dnsX tool on Kali Linux, and collect DNS information for security testing.

Love our articles? Make sure to follow us on Twitter and GitHub, we post article updates there. To join our KaliLinuxIn family, join our Telegram Group. We are trying to build a community for Linux and Cybersecurity. For anything we always happy to help everyone on the comment section. As we know our comment section is always open to everyone. We read each and every comment and we always reply.

In our recent articles we learned how we can find subdomains and what is subdomain takeover vulnerability. In our this article we are going to learn how we can find potential subdomain takeover vulnerability. Subdomain takeover vulnerability is a very serious issue in cybersecurity and may lead to a good bounty to bug bounty hunters.

In today’s article we are going to discuss about an automated tool which will help us to discover potential subdomain that we can takeover. The tool is named Sub404. Sub404 is a tool created with Python3 and it is very fast as it is asynchronous.

After information gathering, during recon process we may found a lot of subdomains(for an example more than 10k ?). It is not possible to test each manually or with traditional requests or urllib method, because it is very slow. Using Sub 404 we can automate this task in much faster way. Sub 404 uses aiohttp/asyncio which makes this tool asynchronous and faster.

How Sub404 Works?

Sub404 uses subdomains list from text file (check our this article) and checks for URL of 404 Not Found status code and in addition it fetches CNAME (Canonical name) and removes those URL which have target domain name in CNAME. It also combines result from SubFinder and Sublist3r (subdomain discovery tool). If we don’t have target subdomains as two is better than one. But for this sublist3r and SubFinder tools must be installed in your system. Sub404 is very fast as we told, the creator of this tool claims that it is able to check 7K subdomains in less than 5 minutes.

Key Features of Sub404

• Fast (as it is asynchronous).
• Uses two more tools to increase efficiency.
• Saves result in a text file for future reference.

Install & Use Sub404 on Kali Linux

To install Sub404 on our Kali Linux system we need to clone it from it’s GitHub repository by using following command:

git clone https://github.com/r3curs1v3-pr0xy/sub404

After applying the above command Sub404 will be downloaded on our current working directory. As we can see in the following screenshot:

Now we need to install two other tool on our Kali Linux system, because as we said Sub404 didn’t like to work alone. It requires two more subdomain discovery tools with it to increase efficiency. They are SubFinder and Sublist3r. In our recent article we talked about SubFinder. Anyways, we need to install both of these tools by simply using following command:

sudo apt install subfinder sublist3r -y

In the following screenshot we can see that both tools are successfully installed on our system.

Now we need to navigate inside the sub404 directory which we cloned by using following command:

cd sub404

Now we need to install requirements for Sub404 by applying following command:

pip install -r requirements.txt

The following screenshot shows the output of the above command:

Now we are ready to run. In our this (sub404) directory we got a python script named sub404.py, we need to use this script to run this tool. Let we check the help options for Sub404 by applying following command:

python3 sub404.py -h

In the following screenshot we can see the help options of Sub404:

We can directly provide Sub404 a domain to scan all the subdomains then check for subdomain takeover vulnerabilities on those subdomains automatically by using -d flag. Or we can provide Sub404 a list of subdomains (in txt format) to analyze them for subdomain takeover vulnerabilities by using -f flag. By using -p flag we can specify the protocol (HTTP or HTTPS), the default protocol s HTTPS.

Lets run it against a live website (everyone have the permission to hack this site) i.e hackthissite.org. To test on a domain we need to use following command:

python3 sub404.py -d hackthissite.org

Then Sub404 will start scanning on it and find the subdomains then check for 404 status. Then check the CNAME of 404 subdomains. Is they are pointing to any 3rd party services. Then show us the results as we can see in the following screenshot:

As we can see in the screenshot that our target isn’t vulnerable. That’s fine. This was our example target.

Now if we already have a list of subdomains (as we did in our SubFinder article), we can check on them also by applying following command:

python3 sub404.py -f /home/kali/subdomainlist.txt

In the following screenshot we can see the output of the above command:

Seems we got no luck, this is also not vulnerable ??.

This is how we can check for subdomain takeover vulnerability on any website. But before that:

Waring: This tutorial is for educational and research purposes only. Hacking a subdomain without proper permission is a serious crime. If anyone does any illegal activity then we are not responsible for that.

That is all for today. Today we learnt how we can find subdomain takeover vulnerability very easily using Sub404 tool on our Kali Linux system. Also we learnt to not harm anyone using our super powers, “With great power comes great responsibility“.

Love our articles? Make sure to follow us on Twitter and GitHub, we post article updates there. To join our KaliLinuxIn family, join our Telegram Group. We are trying to build a community for Linux and Cybersecurity. For anything we always happy to help everyone on the comment section. As we know our comment section is always open to everyone. We read each and every comment and we always reply.