Subdomain Finder… (subfinder) (2024)

Psychom*ong people, We are Back With Another Great And Efficient Way To Find Out the Subdomain Of the Website, Hence Why it is Important.

#credits: to whom so may ever concern.

Subdomains play an important role in subdomain takeover vulnerabilities due to the nature of how DNS (Domain Name System) works and how web services are often configured.

1. Ownership and Control: Subdomains are often delegated to different teams or services within an organization. This means that the ownership and control of subdomains might be distributed across different individuals or teams, leading to potential oversight or neglect in managing them properly.

2. DNS Records: Subdomains are typically associated with DNS records that map them to specific IP addresses or other resources. When a subdomain is no longer actively used or managed, its DNS records might still exist, pointing to resources that have been deprecated or decommissioned. If an attacker gains control over such a subdomain, they can potentially redirect traffic intended for that subdomain to malicious servers under their control.

3. Service Dependencies: Many modern web applications rely on a variety of third-party services and platforms, often accessed via subdomains. If a third-party service provider shuts down or relinquishes control over a subdomain without properly removing DNS records or terminating service endpoints, it creates an opportunity for an attacker to potentially take over that subdomain and exploit it for malicious purposes.

4. Attack Surface: Subdomains significantly expand the attack surface of a domain. Each subdomain represents a potential entry point for attackers to gain a foothold within an organization’s infrastructure. Subdomain takeover vulnerabilities allow attackers to exploit these entry points to launch various attacks, such as phishing, malware distribution, or data exfiltration.

5. Trust Relationships: Visitors often implicitly trust subdomains of a domain they trust. For instance, a user may trust `secure.example.com` more than a completely unfamiliar domain. Attackers can abuse this trust by taking over subdomains to launch attacks that appear legitimate to unsuspecting users.

Now As You read about But, How to Find it..

let’s Understand any “ university.ac.in ”

That’s the WEBSITE

and it have subdomain named admission.university.ac.in

So let’s Find Out the Subdomains For university.

First and Foremost Tool For this Attack is Sub finder

You just need to write sudo apt install sub finder… and done..

step 1: sudo apt install subfinder

Step 2: Is it Done?

Step 3: The Best way is To take Help from the Tool.

Step 4: read the things.

Subfinder is a subdomain discovery tool that discovers subdomains for websites by using passive online sources.

Usage:
subfinder [flags]

Flags:
INPUT:
-d, -domain string[] domains to find subdomains for
-dL, -list string file containing list of domains for subdomain discovery

SOURCE:
-s, -sources string[] specific sources to use for discovery (-s crtsh,github). Use -ls to display all available sources.
-recursive use only sources that can handle subdomains recursively (e.g. subdomain.domain.tld vs domain.tld)
-all use all sources for enumeration (slow)
-es, -exclude-sources string[] sources to exclude from enumeration (-es alienvault,zoomeyeapi)

FILTER:
-m, -match string[] subdomain or list of subdomain to match (file or comma separated)
-f, -filter string[] subdomain or list of subdomain to filter (file or comma separated)

RATE-LIMIT:
-rl, -rate-limit int maximum number of http requests to send per second (global)
-rls, -rate-limits value maximum number of http requests to send per second four providers in key=value format (-rls hackertarget=10/m) (default [“github=30/m”, “fullhunt=60/m”, “robtex=18446744073709551615/ms”, “securitytrails=1/s”, “shodan=1/s”, “virustotal=4/m”, “hackertarget=2/s”, “waybackarchive=15/m”, “whoisxmlapi=50/s”, “securitytrails=2/s”])
-t int number of concurrent goroutines for resolving (-active only) (default 10)

UPDATE:
-up, -update update subfinder to latest version
-duc, -disable-update-check disable automatic subfinder update check

OUTPUT:
-o, -output string file to write output to
-oJ, -json write output in JSONL(ines) format
-oD, -output-dir string directory to write output (-dL only)
-cs, -collect-sources include all sources in the output (-json only)
-oI, -ip include host IP in output (-active only)

CONFIGURATION:
-config string flag config file (default “/root/.config/subfinder/config.yaml”)
-pc, -provider-config string provider config file (default “/root/.config/subfinder/provider-config.yaml”)
-r string[] comma separated list of resolvers to use
-rL, -rlist string file containing list of resolvers to use
-nW, -active display active subdomains only
-proxy string http proxy to use with subfinder
-ei, -exclude-ip exclude IPs from the list of domains

DEBUG:
-silent show only subdomains in output
-version show version of subfinder
-v show verbose output
-nc, -no-color disable color in output
-ls, -list-sources list all available sources
-stats report source statistics

OPTIMIZATION:
-timeout int seconds to wait before timing out (default 30)
-max-time int minutes to wait for enumeration results (default 10)

###############################################################

step 5: Select the Target university. “PAKISTAN UNIVERSITY” #For Demostration Purpose Only.

Disclaimer : For educational purpose Only.

Step 6: type “subfinder -d nust.edu.pk ”

Step 7: Now we just need the ACTIVE domains only

we have flag -nW

Step 8: Now You have Comparatively less Then the First Time We Found.

Here We need to copy ??? Naah! we have option of getting Output.

Step 9: Then We have Subzy (To check subdomain takeover vulnerability)

So hence There is No possibilities of Subdomain Takeover.. so We can Hack the Site. So we are not Going to Take Over the Site.

So We will Try To Hack The Sites On Next Monday!!!

Till then Happy Hacking.

Special Thanks !!! to my self and my parents that I gone this much Far on Blogs with Around 376 + followers and countless supporters. we will keep this knowledge Going and Going Every Week. So stay tuned and Keep mailing me the Details what you want to learn.

Thank you Regrads,

Psychom*ong…