Subdomain Enumeration

Subdomain enumeration is the process of identifying and mapping the subdomains associated with a given domain name. It allows security teams to get a complete layout of their organizations’ websites.

Since subdomains are generally Internet-facing assets, they are often targeted in cyber attacks and can serve as potential attack entry points. For this reason, subdomain enumeration is a crucial part of external attack surface management (EASM), particularly of the asset discovery process.

Table of Contents

• Why Is Subdomain Enumeration Important?
• What Are the Types of Subdomain Enumeration?
• What Tools Can You Use for Subdomain Enumeration?
• What Security Risks Can Subdomain Enumeration Help Minimize?
• What Common Vulnerabilities Affect Subdomains?
• Who Performs Subdomain Enumeration?

Subdomain Enumeration: A Deep Dive

Why Is Subdomain Enumeration Important?

Subdomain enumeration is a critical security process because it can contribute to the following:

• Attack surface reduction: Each subdomain represents a potential attack vector, contributing to attack surface expansion. As such, security teams need to ensure that all subdomains are necessary and well secured. The first step to achieve that goal is to get a list of all the subdomains under a given domain name.

• Hidden application or shadow IT discovery: Subdomains are often used for internal applications, development environments, and testing purposes. Some of them may not be approved by security teams and potentially lack in security controls.

• Vulnerability detection: Once subdomains are enumerated, security teams can proceed with vulnerability scanning and uncover issues that could lead to subdomain takeover, sensitive data exposure, or unauthorized system access.

• Forgotten asset discovery: Organizations sometimes forget about old subdomains that are no longer in use. They can become security risks if not adequately secured. Enumerating subdomains can help uncover forgotten and unprotected subdomains.

What Are the Types of Subdomain Enumeration?

There are two main types of subdomain enumeration—passive and active. Some organizations combine both techniques to get the most out of security processes.

What Is Active Subdomain Enumeration?

Active subdomain enumeration involves directly interacting with a target domain or its associated systems to identify subdomains.

This type of subdomain enumeration is resource-intensive and may have legal and ethical implications since it requires sending a large number of requests to a target domain. Because of its intrusive nature, active subdomain enumeration may trigger security alerts.

DNS brute forcing and DNS zone transfers are examples of active subdomain enumeration techniques, which we will explain in greater detail below.

DNS Brute Forcing

DNS brute forcing involves systematically guessing the names of possible subdomains and checking if they resolve to valid IP addresses. The list of subdomains for testing is typically based on common patterns and involves generic terms, such as “blog,” “mail,” and “www.”

Each subdomain should then be queried to check if it resolves to an IP address. A successful resolution means the subdomain likely exists. The person behind the subdomain enumeration can then analyze the IP address, determine its purpose, and find potential vulnerabilities.

DNS Zone Transfers

Another way to obtain a list of subdomains is to request a copy of the entire DNS zone through a DNS zone transfer. This process not only reveals all subdomains but also includes their associated DNS records.

Since modern networks are often protected by firewall rules that filter DNS requests, DNS zone transfers can only be performed by authorized parties, such as domain registrars and system administrators.

What Is Passive Subdomain Enumeration?

Passive subdomain enumeration involves gathering information from publicly available sources to identify subdomains. It is a less intrusive approach than active enumeration, as it does not involve directly interacting with a target domain.

Some passive enumeration techniques involve obtaining subdomain information from DNS records and certificate transparency logs, among other data sources.

SSL Certificate Transparency Logs

When a new subdomain is created and a Secure Sockets Layer (SSL) certificate is issued, the certificate is typically published in a Certificate Transparency (CT) log, a public record of all certificates issued by a Certificate Authority (CA).

Analyzing CT logs can, therefore, help identify new subdomains that have certificates.

Search Engine Queries

A list of subdomains can also be obtained using search engines like Google, Bing, or DuckDuckGo to search for terms related to the target domain, such as “example.com blog” or “example.com forum.”

Another way these search engines can help is by using site operators like “site:” to search for specific domains or subdomains.

Passive DNS Repositories

Passive DNS databases collect and store historical DNS records, allowing users to analyze past DNS activities and identify subdomains that may have existed at one point. To perform subdomain enumeration using a passive DNS repository, users query it for historical DNS records related to a specific domain.

What Tools Can You Use for Subdomain Enumeration?

There are different subdomain enumeration tools relying on either passive, active, or both passive and active subdomain enumeration. The more techniques the tool uses, the more subdomains it will be able to find.

For example, Attaxion, an external attack surface management platform, offers users the choice between passive and active + passive subdomain enumeration. In both modes, it usually finds more subdomains than free passive subdomain discovery tools, but with active subdomain enumeration, the difference can be particularly drastic.

Sign up for a free 30-day trial or book a demo to see Attaxion’s subdomain enumeration in action.

What Security Risks Can Subdomain Enumeration Help Minimize?

While subdomains can help organize content or separate different aspects of a business, they can also present certain security risks. As such, it’s essential to have an updated list of subdomains you need to keep track of, and subdomain enumeration is one way to do that.

For one, accurate and thorough subdomain enumeration helps prevent attack surface expansion. Subdomains create additional entry points for attackers. Each subdomain is essentially a separate website, which means more opportunities for threat actors to exploit vulnerabilities. Hence, they broaden an attack surface, especially when subdomains are unprotected and unmonitored.

Subdomain enumeration is also one of the first steps in preventing subdomain takeovers. These attacks occur when a subdomain’s DNS records are compromised or the subdomain is not properly configured or protected, allowing an attacker to gain control of it. The threat actor can redirect traffic to malicious websites, distribute malware, or steal sensitive information.

What Common Vulnerabilities Affect Subdomains?

Subdomain enumeration alone cannot minimize the risks mentioned above. Security teams also need to scan assets for security issues.

One type of issue to look out for is DNS misconfiguration since 21% of active subdomain records are unresolved. This instance can occur, for example, when the canonical name (CNAME) record for a subdomain points to a domain that is no longer active or owned by the organization. If left unaddressed, this misconfiguration exposes companies to the risk of subdomain takeover.

Another common security issue with subdomains is the presence of cross-site scripting (XSS) vulnerabilities, which allow attackers to inject malicious code into web pages. Additionally, using insecure protocols like HTTP instead of HTTPS for subdomains is a frequent problem, as it can expose sensitive data to eavesdropping and man-in-the-middle (MitM) attacks.

Who Performs Subdomain Enumeration?

Subdomain enumeration is primarily performed by security professionals, such as security analysts, penetration testers, and ethical hackers. They use the method to identify potential vulnerabilities and assess the security posture of a target organization.

Threat intelligence analysts also use subdomain enumeration to gather information about malicious actors and their infrastructure.

Meanwhile, competitive intelligence analysts may use subdomain enumeration to gain insights into their competitors’ online presence and identify new products or services.

Unfortunately, malicious actors can also use subdomain enumeration to identify vulnerabilities in the target system and launch attacks.

—

Subdomains constitute a significant part of an organization’s infrastructure. Subdomain enumeration can help complete an organization’s network view, enabling security teams to develop targeted security strategies to protect their assets.

Key Takeaways

• Subdomain enumeration is the process of identifying and mapping the subdomains associated with a domain name.
• It helps reduce attack surfaces, discover hidden applications, detect vulnerabilities, and find forgotten assets.
• Active enumeration directly interacts with a target domain, can be resource-intensive, and has legal and ethical implications.
• Passive enumeration is less intrusive and gathers information from publicly available sources.

Ready to see how Attaxion can help you protect your subdomains and other public-facing assets?  Start your free trial now.

Interested to Learn More?

• 4 Common Network Vulnerabilities  
• What Is Exposure Management?