If you read my last post about V1D0m and liked it, I’m sure you will LOVE this post. As you will remember, the older post was about subdomain enumeration using VirusTotal, this post is about enumerating subdomains and DNS information using the following services: CloudFlare, Censys & Crtsh using Python!
Performing subdomain enumeration:
A set of three scripts was recently released by the awesome guys at Appsecco on their GitHub page here. Go ahead and clone the directory. You will now have the following scripts in your cloned folder:
As you can see, there are more goodies in addition to the scripts that help you perform subdomain enumeration. There is a bonus Subdomain enumeration cheat sheet and slides from the BugCrowd talk titled – Esoteric Subdomain Enumeration Techniques.
First things first. Get ahold of your Censys API key as you need to add it to the related Python script. Don’t have it yet, get it from here. Add it to line numbers 26 & 27:
CENSYS_API_ID = "" # Provide your Censys API ID CENSYS_API_SECRET = "" # Provide your Censys API Secret
Create a CloudFlare free account by visiting this link.
This is all you need to perform DNS and subdomain enumeration using these scripts.
Now onto the actual fun stuff! Choose a service you would like first. Let’s say Censys. This is what I would do:
python subdomain_enum_censys.py facebook.com [+] Extracting certificates for facebook.com using Censys Starting new HTTPS connection (1): www.censys.io [+] Extracting sub-domains for facebook.com from certificates [+] Total unique subdomains found: 46 [+] List of subdomains extracted:
For brevity I have not included all the domains, but you get the point. Now, lets try using Crtsh:
python subdomain_enum_crtsh.py --domains facebook.com --resolve_dns
This time however, I got about 194 unique results. Which script is precise will be discussed at a later time. For now, let’s move on to subdomain enumeration using CloudFlare:
python cloudflare_enum.py [email protected] facebook.com
Enter your CloudFlare password and you are set! If for some reason the CloudFlare script does not work for you, go through the script and you will know what the script does. Handy scripts I must say.