TryHackMe | Subdomain Enumeration | Walkthrough

Learn the various ways of discovering subdomains to expand the attack surface of a target. *As always, I recommend to read through every task to get a complete understanding of each room. Happy learning!* ♾️TIMESTAMP ♾️ 0:55 Task 1 - Brief 1:32 Task 2 - OSINT - SSL/TLS Certificates 2:53 Task 3 - OSINT - SSL/TLS Certificates 4:25 Task 4 - DNS Bruteforce 4:56 Task 5 - OSINT - Sublist3r 5:29 Task 6 - Virtual Hosts Subdomain enumeration, also known as subdomain discovery or subdomain scanning, is the process of identifying and mapping subdomains associated with a particular domain. Subdomains are prefixes added to a domain name, such as "subdomain.example.com," which can be used to organize and manage different sections or services within a larger domain. Subdomain enumeration is important for security researchers, system administrators, and penetration testers to gain a comprehensive understanding of a target's attack surface. By discovering subdomains, one can identify potential entry points, misconfigurations, or vulnerable systems that may exist within the domain's infrastructure. There are various techniques and tools available for subdomain enumeration. These include: DNS brute-forcing: Iteratively querying the DNS (Domain Name System) server for different subdomains to check if they resolve to valid IP addresses. Search engine scraping: Using search engines to look for indexed subdomains associated with the target domain. Zone transfers: Attempting to retrieve the complete DNS zone file from a DNS server to identify all the subdomains. Certificate transparency logs: Monitoring public certificate transparency logs to find subdomains that have been issued SSL/TLS certificates. Third-party reconnaissance tools: Utilizing specialized tools or online services designed for subdomain enumeration, which leverage a combination of techniques and data sources. The information obtained from subdomain enumeration can be valuable for vulnerability assessment, identifying potential points of entry, or performing targeted security testing. However, it's important to note that subdomain enumeration should always be conducted within the legal and ethical boundaries and with proper authorization.