Today I would like to make a short post about how I enumerate subdomains when approaching a new target and why I created AutoRecon.

Subdomain enumeration, monitoring & automation

Initially when I created AutoRecon I wanted to automate the whole recognition process but I quickly realized that it was very difficult and finally even useless, why?

  • Recognition depends on each target
  • Running a whole bunch of tools and just being satisfied with the results was missing too much information.

Initially the tool checked CORS, TakeOver, port scan, JS, … the output was terrible and I spent a considerable amount of time finding interesting information, so I preferred to reduce the tools I was chaining up until now to arrive only to domain enumeration and scan with Aquatone even if in the next version it is not impossible that I will reintegrate the takeover domain check (as an option) via Tko-Subs.

Here are the tools I use today in AutoRecon :

  • Amass : According to all my tests it's the best tool for domain enumeration, not the fastest, but the one with the most complete results, especially when used with external (configurable) APIs.
  • DnsGen : Generates permutations on found domains, it's super fast which is pretty cool.
  • ShuffleDNS : Checks the validity of domains and removes wildcards, its latest version makes it rather fast (the project is also based on MassDNS)
  • Aquatone : Even if the project doesn't seem to be maintained anymore, it's a must-have, scan a domain list and create an output HTML file with the screenshots of each site, we have the haders and the tool is able to check if a site is present on a whole bunch of different ports.

In addition to AutoRecon, I now use Monitorizer which allows me to monitor the output of new subdomains, the tool also directly performs a port scan when a new domain is detected and warns you about Slack.

The output produced by AutoRecon can be used with many tools afterwards, for example :

  • Hakrawler et Kxss to crawl the site and try to find some “easy” XSS
  • Waybackurls to try to discover old endpoints
  • LinkFinder to scan JS files and also find new endpoints
  • Masscan to discover open ports
  • Arjun to discover hidden parameters
  • Corsy to analyze the CORS

Conclusion

In short … a lot of tools can be used but in my opinion they should correspond to what you want to look for and not be launched hoping for a miracle result. For example if you want to find a CORS and there are 500 domains to check, actually running Corsy seems to be a good start before a second manual analysis of the results that you think is relevant and it is exactly for this reason that today I only prefer to automate my sub-domain search than my entire recon process.

I'm not an experienced hunter but recognition is an important element and especially, I think, the enumeration of sub-domains, because discovering a domain first or even no hunter is perhaps a real gold mine!