Introduction
One of the most important steps in web application testing or bug bounty hunting is enumeration. Enumeration is the first attack on target network. It is the process of actively or passively collecting information about the target. The more information we collect about the target, the easier it becomes to exploit the target in further steps. Although web enumeration holds so much importance in testing, it is one of the most neglected steps by many pen-testers. In this article we will cover the basic methodology for web enumeration.
Web Enumeration Flow Chart
The Diagram below shows the steps followed by many top-level bug bounty hunters and web application testers
Identifying IPs and Top-Level Domains
Identifying the IP addresses and the main domain servers of the target is the initial step of enumeration. A built-in tool for this is available in kali. The syntax is shown below:
- host -a example.com
Identifying Sub-Domains
A subdomain is, as the name would suggest, an additional section of your main domain name. In most cases, the main domain of a website is tested on by many pen-testers and the subdomains are left untouched. Due to this, many critical vulnerabilities are left un-exploited on these sub-domains. Also, many times, developers leave some private subdomains publicly available. These subdomains can contain useful information regarding the target or organization. Due to this reason it is always useful to find as many subdomains of the target as possible.
Basically there are two ways of evaluating the subdomains
- Subdomain Scraping
- Brute forcing (sub brute).
Scraping
Scraping is a passive reconnaissance technique whereby one uses external services and sources to gather subdomains belonging to a specific host. Some search services index subdomains that have been crawled in the past, allowing you to collect and sort the results quickly without much effort. A few useful tools for this are listed below:
1. Sublist3r
Sublist3r is a python tool designed to enumerate subdomains of websites using OSINT. It helps us collect and gather subdomains. It uses many search engines such as google, yahoo etc. It also enumerates using Netcraft, Virustotal, ReverseDNS, DNSdumpster and Threatcrowd.
Download: https://github.com/aboul3la/Sublist3r
The syntax for sublist3r is shown below:
- python sublist3r.py -d example.com