Sign up to save your podcasts
Or
Share Subdomain-Enum: Enumerating Subdomains with the Securitytrails API
Share to email
Share to Facebook
Share to X
Share to email
Share to Facebook
Share to X
Or
Subdomain-Enum: Enumerating Subdomains with the Securitytrails API
Note: The audio version doesn't include code or commands. Those parts of the post can be seen in the text version.
One of the core products at Securitytrails is our API. And to ensure that its usage is simple and user-friendly, we strive to follow industry best practices and standardization that the user base will be familiar with.
We take this even further by offering extensive documentation that is easy to understand as well as interactive. On the documentation page, you can test APIresults in the browser to see the outcome.
The interactive APIcalls can also show beginners how to construct the correct URL and call the needed API in order to fetch the desired data. Once you understand how the different APIcalls work, you can browse through code snippets for your favorite language (Python, Java, PHP, Go, Ruby, Node, and JavaScript are supported) and use these snippets locally or build on them to create your own Osint investigative tool.
What is Subdomain-Enum?
The above outline of our APIleads us to an independent developer Chaitanya Krishna, building his own script to enumerate subdomains using the Securitytrails API. This tool is called: Subdomain-Enum.
This interactive script can find all associated subdomains with a given domain and saves the results to a CSV. Written in Python, the script is very easy to understand for anybody familiar with writing code. We'll demonstrate this by attempting to extend or modify the script for different purposes, using the Securitytrails API.
Who should use it?
Subdomain enumeration is a great technique for anyone looking to find subdomains quickly during a reconnaissance or data-gathering task.
Whether you're on the offensive or defensive side of your target, enumerating subdomains can help in getting a broader idea about commonly used hosts but also it may discover long-forgotten hosts that are still connected and silently listening.
To name one notorious case affected by this kind of deception technique, here's the one perpetrated on PricewaterhouseCoopers (PwC) subdomain amyza-devapi.pwc.com as the following image shows:
As you can see in the Google search above, this subdomain was filled with fake content that actually had malware hosted. This was possible due to a broken C-Name record that pointed to an expired domain name registered by the deceiver. This is also known as subdomain takeover.
By accomplishing this, they managed to use a good standing subdomain name containing a reputable apex domain, and redirected users into a malware trap hosted at **amyca-dev-node.azurewebsites.net**. These are called stale DNS records.
Installing Subdomain-Enum
Let's now proceed with installing the Python script. And remember, it's always important to use some type of sandboxing environment when installing new software. You could opt for a virtual machine (VM), container, or a remote test server. We are using Ubuntu 18.04 for this review, and any commands used here should apply to Debian-based distros (and with a few minor tweaks, to other distros as well).
First, we should update our sandbox and install the software we need:
Now we can make a Python virtual environment to install the necessary Python packages:
We noticed that the repo for Subdomain-Enum does not have a 'requirements.txt' file which specifies the required packages. After taking a look at the script, the only 3rd-party Python library we need is 'requests' (which we installed above).
In terms of Python virtual environments, there are many ways to install and use it. Any installation method that gives you a 'virtual-env' should enable you to use the instructions below as is. If you opt for installing the necessary Python packages via 'apt', you might need to adapt the scripts below (this is as yet unverified).
If you haven't already, get your free APIkey today. With the APIkey ready, we can now add it to the script on line 12 of the subdomain-enum.py file:
Once your APIkey is stored and saved...
View all episodes
By SecurityTrailsNote: The audio version doesn't include code or commands. Those parts of the post can be seen in the text version.
One of the core products at Securitytrails is our API. And to ensure that its usage is simple and user-friendly, we strive to follow industry best practices and standardization that the user base will be familiar with.
We take this even further by offering extensive documentation that is easy to understand as well as interactive. On the documentation page, you can test APIresults in the browser to see the outcome.
The interactive APIcalls can also show beginners how to construct the correct URL and call the needed API in order to fetch the desired data. Once you understand how the different APIcalls work, you can browse through code snippets for your favorite language (Python, Java, PHP, Go, Ruby, Node, and JavaScript are supported) and use these snippets locally or build on them to create your own Osint investigative tool.
What is Subdomain-Enum?
The above outline of our APIleads us to an independent developer Chaitanya Krishna, building his own script to enumerate subdomains using the Securitytrails API. This tool is called: Subdomain-Enum.
This interactive script can find all associated subdomains with a given domain and saves the results to a CSV. Written in Python, the script is very easy to understand for anybody familiar with writing code. We'll demonstrate this by attempting to extend or modify the script for different purposes, using the Securitytrails API.
Who should use it?
Subdomain enumeration is a great technique for anyone looking to find subdomains quickly during a reconnaissance or data-gathering task.
Whether you're on the offensive or defensive side of your target, enumerating subdomains can help in getting a broader idea about commonly used hosts but also it may discover long-forgotten hosts that are still connected and silently listening.
To name one notorious case affected by this kind of deception technique, here's the one perpetrated on PricewaterhouseCoopers (PwC) subdomain amyza-devapi.pwc.com as the following image shows:
As you can see in the Google search above, this subdomain was filled with fake content that actually had malware hosted. This was possible due to a broken C-Name record that pointed to an expired domain name registered by the deceiver. This is also known as subdomain takeover.
By accomplishing this, they managed to use a good standing subdomain name containing a reputable apex domain, and redirected users into a malware trap hosted at **amyca-dev-node.azurewebsites.net**. These are called stale DNS records.
Installing Subdomain-Enum
Let's now proceed with installing the Python script. And remember, it's always important to use some type of sandboxing environment when installing new software. You could opt for a virtual machine (VM), container, or a remote test server. We are using Ubuntu 18.04 for this review, and any commands used here should apply to Debian-based distros (and with a few minor tweaks, to other distros as well).
First, we should update our sandbox and install the software we need:
Now we can make a Python virtual environment to install the necessary Python packages:
We noticed that the repo for Subdomain-Enum does not have a 'requirements.txt' file which specifies the required packages. After taking a look at the script, the only 3rd-party Python library we need is 'requests' (which we installed above).
In terms of Python virtual environments, there are many ways to install and use it. Any installation method that gives you a 'virtual-env' should enable you to use the instructions below as is. If you opt for installing the necessary Python packages via 'apt', you might need to adapt the scripts below (this is as yet unverified).
If you haven't already, get your free APIkey today. With the APIkey ready, we can now add it to the script on line 12 of the subdomain-enum.py file:
Once your APIkey is stored and saved...