Subdomain enumeration is the process of discovering all subdomains associated with a specific domain. It is often used in various contexts, including mapping out an organization’s attack surface and finding hidden or forgotten applications.

For example, mystore[.]com may have subdomains dedicated to different functions, such as help[.]mystore[.]com for customer support, login[.]mystore[.]com for user login, and blog[.]mystore[.]com for blogs and other articles.

While these subdomains are active and known, subdomain enumeration may also reveal the presence of test[.]mystore[.]com. This unused subdomain may have been set up during the early days of the business for testing purposes. As such, listing and securing all subdomains, both known and forgotten, is essential.

Read More about Subdomain Enumeration

Learn more about subdomain enumeration and relevant concepts.

What Are Subdomains?

Subdomains are part of a domain name created by adding a prefix before the main domain. It is mainly used to organize website content based on specific purposes, such as blogs, customer support, forums, or login portals.

Subdomains can have their own DNS configurations and records. They can be directed to unique IP addresses and function like independent websites. Therefore, each subdomain must also be secured independently, especially since vulnerabilities in one subdomain can affect others.

For instance, if multiple subdomains share the same web server, attackers can potentially exploit a vulnerability in one subdomain and use it to gain access to other subdomains on the same server.

Why Should You Perform Subdomain Enumeration?

Subdomain enumeration is a critical step in various cybersecurity processes. Below are some reasons why subdomain enumeration is important.

  • Subdomain enumeration enables complete attack surface visibility: An attack surface is the sum of all digital assets and their vulnerabilities. Subdomains are among the most used and critical assets organizations usually have, so they inevitably contribute to the expansion of their attack surfaces. Listing them all helps complete the attack surface picture, allowing security teams to secure and monitor them constantly.
  • Subdomains can become forgotten assets that are vulnerable to attacks: For example, a freelance web developer may set up test[.]mystore[.]com to test the appearance and functionality of a website. When the site was launched and the developer’s contract ended, the subdomain was not decommissioned and continued to be accessible. Since the new website administrator doesn’t know that the subdomain exists, it may have outdated security. That may make it vulnerable to subdomain takeovers, cyber attacks where threat actors take control of a subdomain.
Subdomain Enumeration can reveal forgotten assets
  • Subdomains can point to shadow IT: Shadow IT are applications that may be unauthorized and unmanaged by an organization’s IT department. These hidden applications may not adhere to organizational security policies or standards, creating potential vulnerabilities, compliance issues, and data security risks.

Subdomain enumeration is a valuable tool for attack surface management, shadow IT discovery, and strengthening an organization’s overall cybersecurity posture.

How Does Subdomain Enumeration Prevent Domain Takeovers?

Subdomain enumeration is crucial in preventing domain takeovers by helping organizations identify and secure all their subdomains as part of ASM. Here are some ways it contributes to preventing domain takeovers.

  • Identifies vulnerable subdomains: The process lets organizations discover all subdomains associated with their domain names. It includes actively used subdomains and those that may have been forgotten, unused, or unprotected. Identifying vulnerable subdomains is the first step in preventing domain takeovers.
  • Detecting misconfigurations: The process can uncover misconfigurations in DNS records or web servers that can lead to domain takeover vulnerabilities. For example, if a subdomain points to an expired or unmonitored service, it can be susceptible to takeovers.
  • Detecting subdomain takeover risks early: Organizations can proactively monitor for changes or additions to their subdomain ecosystem by regularly performing subdomain enumeration. The process lets them quickly detect any unauthorized subdomain creation or takeover before attackers can exploit them.
  • Providing timely remediation: Armed with the knowledge of all subdomains associated with their domain names, organizations can act promptly to secure vulnerable subdomains and fix misconfigurations or weaknesses identified during the enumeration process. The process can involve updating DNS records, removing unused subdomains, or implementing additional security measures.
  • Enabling continuous monitoring and maintenance: The process is not a one-time task but an ongoing process. By continuously monitoring their subdomain landscape, organizations can stay vigilant against emerging threats and ensure their entire domain hierarchy remains secure and under their control.

Is Subdomain Enumeration Active or Passive?

Subdomain enumeration can be active or passive, depending on the tools and techniques used to obtain a list of valid subdomains.

Active Subdomain Enumeration

Active subdomain enumeration entails direct interaction with the target domain name using advanced techniques, such as Domain Name System (DNS) brute-forcing. In DNS brute-forcing, scripts are used to send several requests to an extensive list of subdomains to see which ones exist.

Passive Subdomain Enumeration

Passive subdomain enumeration is less intrusive since it does not require direct interaction with the domain. Instead, it relies on publicly available information, such as DNS records, WHOIS databases, and search engine results. 

What Are the Steps in Subdomain Enumeration?

As part of AMS, subdomain enumeration typically involves several steps to systematically discover and identify subdomains associated with a target domain name. Here is a general outline of the steps it involves.

Step #1: Passive Enumeration

  1. DNS reconnaissance: Use passive DNS databases to gather information about subdomains associated with a target domain. These databases aggregate DNS records from various sources and can provide valuable insights into subdomain infrastructure.
  2. Search engine queries: Conduct advanced search engine queries to find indexed subdomains and related information about a target domain. Search for site-specific references to subdomains within search results.
  3. Web archives: Explore web archives like the Wayback Machine to uncover historical records of subdomains that may no longer be active but were previously associated with a target domain.

Step #2: Active Enumeration

  1. DNS zone transfers: Attempt DNS zone transfers if a target domain’s DNS servers are misconfigured to allow zone transfers. This process can provide a comprehensive list of subdomains and their associated DNS records.
  2. DNS brute-forcing or guessing: Use tools like Sublist3r, Knock, or dnsenum to perform DNS brute-forcing or guessing attacks by systematically enumerating possible subdomain names and checking for their existence.
  3. Reverse DNS lookups: Conduct reverse DNS lookups on IP addresses associated with a target domain to identify additional subdomains that may not be directly visible in DNS records.
  4. Certificate transparency (CT) logs: Query CT logs to find Secure Sockets Layer (SSL) certificates issued for the subdomains of a target domain. This process can reveal hidden or newly created subdomains that may not be publicly known.

Step #3: Consolidation and analysis

  1. Collate results: Gather all the subdomains obtained from passive and active enumeration into a single list for further analysis.
  2. Remove duplicates: Eliminate duplicate entries and organize the list to ensure it is clean and manageable.
  3. Prioritize targets: Prioritize subdomains based on relevance, significance, or potential risk to focus efforts on securing critical assets first.

Step #4: Verification and Validation

  1. DNS resolutions: Perform DNS resolutions to confirm the IP addresses of the discovered subdomains and check if they are reachable.
  2. Manual inspections: Manually inspect each subdomain to assess its purpose, ownership, and potential security implications. Look for signs of misconfiguration or vulnerability.

Step #5: Reporting and Remediation

  1. Document findings: Compile a detailed report documenting all the discovered subdomains, their associated information, and any identified security issue or concern.
  2. Remediation actions: Take appropriate remediation actions to secure vulnerable subdomains, update DNS configurations, or implement additional security measures.
Steps in Subdomain Enumeration

The goal of subdomain enumeration is to get a list of active subdomains as part of various cybersecurity processes but primarily to obtain a more complete picture of an organization’s attack surface.

Key Takeaways