How to create a subdomain enumeration toolkit


A domain name is an important part of the reconnaissance process during a security assessment or even for many bug bounty challenges. In this article, we’ll look at how a domain can be classified. Within this context, two scenarios of how to take advantage of domain misconfigurations will be analyzed. Finally, we’ll discuss building a subdomain enumeration.

A domain represents a label for IP addresses on the internet — a short link associated with an IP address. In detail, a domain can be analyzed based on two different perspectives: vertical domain correlation and horizontal domain correlation (shown in Figure 1).

  • Vertical domain correlation: Vertical domain correlation is a process that reveals domains in the same domain base. This process is also known as subdomain enumeration.
  • Horizontal domain correlation: Horizontal domain correlation is a process of finding other domain names, which have a different second-level domain name but are related to the same entity.


Figure 1: Examples of vertical and horizontal domain correlation.

Taking advantage of subdomain enumeration

Discovering subdomains can unveil potential weaknesses and vulnerabilities. For instance, one of the popular vulnerabilities within this context is domain takeover. By exploring this misconfiguration flaw, a malicious agent could claim a vulnerable subdomain. As a result, the criminal could launch social engineering campaigns against a target audience or even take advantage of legacy systems that are still communicating with those domains to obtain sensitive data, e.g., session cookies.

Scenario 1

Imagine that the subdomain “” was pointing to a specific IP address, e.g., a shared host, and is related to an old service from the company. Meanwhile, you have access to the shared hosting service and have the possibility to upload content to the vhost folder of “”. Here, you can (Read more...)

*** This is a Security Bloggers Network syndicated blog from Infosec Resources authored by Pedro Tavares. Read the original post at: