Trouver des sous domaines et des serveurs partagés avec nmap

Les sous-domaines sont souvent utilisés pour héberger des sites Web supplémentaires pour un sous-ensemble d’utilisateurs spécifique. 

Les sous-domaines populaires incluent m.facebook.com, mobile .twitter.com et développeur .github.com.

Ces sous-domaines sont utiles aux pirates car le sous-domaine et le domaine principal peuvent en fait être hébergés sur des serveurs privés virtuels complètement différents, dans différentes parties du monde, et peuvent ne pas exercer le même degré de sécurité.

Le script dns-brute intégré à Nmap est conçu pour énumérer les sous-domaines et leurs adresses IP de serveur correspondantes.

nmap -p80,443 --script dns-brute targetWebsite.com

Starting Nmap 7.70 ( https://nmap.org )

Nmap scan report for targetWebsite.com

Host is up (0.16s latency).

PORT    STATE SERVICE

80/tcp  open  http

443/tcp open  https

Host script results:

| dns-brute:

|   DNS Brute-force hostnames:

|     http.targetWebsite.com - 198.105.244.228

|     http.targetWebsite.com - 198.105.254.228

|     mysql.targetWebsite.com - 198.105.244.228

|     mysql.targetWebsite.com - 198.105.254.228

|     news.targetWebsite.com - 104.17.202.106

|     news.targetWebsite.com - 104.17.203.106

|     news.targetWebsite.com - 104.17.204.106

|     news.targetWebsite.com - 104.17.205.106

|     news.targetWebsite.com - 104.17.206.106

|     app.targetWebsite.com - 104.97.95.87

|     apps.targetWebsite.com - 12.18.141.21

|     web.targetWebsite.com - 198.105.244.228

|     web.targetWebsite.com - 198.105.254.228

|     auth.targetWebsite.com - 204.238.150.111

|     web2test.targetWebsite.com - 198.105.244.228

|     web2test.targetWebsite.com - 198.105.254.228

|     beta.targetWebsite.com - 98.99.252.42

|     id.targetWebsite.com - 98.99.254.9

|     blog.targetWebsite.com - 216.87.148.114

|     www.targetWebsite.com - 104.97.95.87

|     www2.targetWebsite.com - 207.76.137.99

|     cms.targetWebsite.com - 98.99.252.57

|     ldap.targetWebsite.com - 98.99.254.57

|     owa.targetWebsite.com - 98.99.252.118

|     sip.targetWebsite.com - 199.233.179.46

|     mail.targetWebsite.com - 98.99.254.8

|     mobile.targetWebsite.com - 216.87.148.114

|     help.targetWebsite.com - 98.99.252.46

|     home.targetWebsite.com - 198.105.244.228

|_    home.targetWebsite.com - 198.105.254.228

Nmap done: 1 IP address (1 host up) scanned in 32.62 seconds

Ce site Web particulier a de nombreux sous-domaines configurés et ne partagent pas tous la même adresse IP. À ce stade, un testeur de pénétration peut étendre davantage sa reconnaissance aux serveurs récemment découverts sous le contrôle de ce site Web.

Vous trouverez ci-dessous une commande dns-brute qui comporte plusieurs –script-args .

nmap -p80,443 –script dns-brute –script-args dns-brute.threads=25,dns-brute.hostlist=/root/Desktop/custom-subdomain-wordlist.txt targetWebsite.com

Starting Nmap 7.70 ( https://nmap.org )
Nmap scan report for targetWebsite.com
Host is up (0.17s latency).

PORT STATE SERVICE
80/tcp open http
443/tcp open https

Host script results:
| dns-brute:
| DNS Brute-force hostnames:
| www7.targetWebsite.com – 198.105.244.228
| www7.targetWebsite.com – 198.105.254.228
| www.targetWebsite.com – 104.97.95.87
| webdisk.test.targetWebsite.com – 198.105.244.228
| webdisk.test.targetWebsite.com – 198.105.254.228
| www4.targetWebsite.com – 198.105.244.228
| www4.targetWebsite.com – 198.105.254.228
| www1.targetWebsite.com – 198.105.244.228
| www1.targetWebsite.com – 198.105.254.228
| app.targetWebsite.com – 104.97.95.87
| mail.targetWebsite.com – 98.99.254.8
| www.m.targetWebsite.com – 198.105.244.228
| www.m.targetWebsite.com – 198.105.254.228
| meet.targetWebsite.com – 199.233.179.60
| members.targetWebsite.com – 52.85.88.11
| members.targetWebsite.com – 52.85.88.178
| members.targetWebsite.com – 52.85.88.184
| members.targetWebsite.com – 52.85.88.186
| webmail2.targetWebsite.com – 198.105.244.228
| webmail2.targetWebsite.com – 198.105.254.228
| ww2.targetWebsite.com – 198.105.244.228
| ww2.targetWebsite.com – 198.105.254.228
| sip.targetWebsite.com – 199.233.179.46
| www.beta.targetWebsite.com – 198.105.244.228
| www.beta.targetWebsite.com – 198.105.254.228
| news.targetWebsite.com – 104.17.202.106
| news.targetWebsite.com – 104.17.203.106
| news.targetWebsite.com – 104.17.204.106
| news.targetWebsite.com – 104.17.205.106
| news.targetWebsite.com – 104.17.206.106
| www.news.targetWebsite.com – 198.105.244.228
| www.news.targetWebsite.com – 198.105.254.228
| www.shop.targetWebsite.com – 198.105.244.228
| www.shop.targetWebsite.com – 198.105.254.228
| portal.targetWebsite.com – 192.237.142.31
| preview.targetWebsite.com – 104.97.95.87
| search.targetWebsite.com – 98.99.252.118
| www.support.targetWebsite.com – 198.105.244.228
| www.support.targetWebsite.com – 198.105.254.228
| api.targetWebsite.com – 98.99.252.56
| share.targetWebsite.com – 69.28.231.168
| mobile.targetWebsite.com – 216.87.148.114
| lyncdiscover.targetWebsite.com – 199.233.179.60
| mysql.targetWebsite.com – 198.105.244.228
| mysql.targetWebsite.com – 198.105.254.228
| owa.targetWebsite.com – 98.99.252.118
| webdisk.forum.targetWebsite.com – 198.105.244.228
| webdisk.forum.targetWebsite.com – 198.105.254.228
| www.blog.targetWebsite.com – 198.105.244.228
| www.blog.targetWebsite.com – 198.105.254.228
| beta.targetWebsite.com – 98.99.252.42
| partner.targetWebsite.com – 98.99.252.118
| a.targetWebsite.com – 63.149.195.18
| a.targetWebsite.com – 67.134.222.254
| a.targetWebsite.com – 8.33.184.254
| blogs.targetWebsite.com – 98.99.252.176
| webdisk.m.targetWebsite.com – 198.105.244.228
| webdisk.m.targetWebsite.com – 198.105.254.228
| webdisk.demo.targetWebsite.com – 198.105.244.228
| webdisk.demo.targetWebsite.com – 198.105.254.228
| ldap.targetWebsite.com – 98.99.254.57
| www.webmail.targetWebsite.com – 198.105.244.228
| www.webmail.targetWebsite.com – 198.105.254.228
| webmail.targetWebsite.com – 98.99.254.8
| web3.targetWebsite.com – 198.105.244.228
| web3.targetWebsite.com – 198.105.254.228
| community.targetWebsite.com – 216.87.148.114
| webmail.cp.targetWebsite.com – 198.105.244.228
| webmail.cp.targetWebsite.com – 198.105.254.228
| www.demo.targetWebsite.com – 198.105.244.228
| www.demo.targetWebsite.com – 198.105.254.228
| remote.targetWebsite.com – 216.87.148.114
| my.targetWebsite.com – 198.105.244.228
| my.targetWebsite.com – 198.105.254.228
| webdisk.dev.targetWebsite.com – 198.105.244.228
| webdisk.dev.targetWebsite.com – 198.105.254.228
| www.forum.targetWebsite.com – 198.105.244.228
| www.forum.targetWebsite.com – 198.105.254.228
| webdisk.targetWebsite.com – 198.105.244.228
| webdisk.targetWebsite.com – 198.105.254.228
| www.test.targetWebsite.com – 198.105.244.228
| www.test.targetWebsite.com – 198.105.254.228
| www.mobile.targetWebsite.com – 198.105.244.228
| www.mobile.targetWebsite.com – 198.105.254.228
| web1.targetWebsite.com – 198.105.244.228
| web1.targetWebsite.com – 198.105.254.228
| relay.targetWebsite.com – 98.99.254.28
| web2.targetWebsite.com – 198.105.244.228
| web2.targetWebsite.com – 198.105.254.228
| web.targetWebsite.com – 198.105.244.228
| web.targetWebsite.com – 198.105.254.228
| dialin.targetWebsite.com – 199.233.179.60
| jobs.targetWebsite.com – 216.87.148.114
| webdisk.blog.targetWebsite.com – 198.105.244.228
| webdisk.blog.targetWebsite.com – 198.105.254.228
| home.targetWebsite.com – 198.105.244.228
| home.targetWebsite.com – 198.105.254.228
| www3.targetWebsite.com – 198.105.244.228
| www3.targetWebsite.com – 198.105.254.228
| www.store.targetWebsite.com – 104.16.53.60
| www.store.targetWebsite.com – 104.16.54.60
| www6.targetWebsite.com – 198.105.244.228
| www6.targetWebsite.com – 198.105.254.228
| www.my.targetWebsite.com – 198.105.244.228
| www.my.targetWebsite.com – 198.105.254.228
| www5.targetWebsite.com – 198.105.244.228
| www5.targetWebsite.com – 198.105.254.228
| autodiscover.targetWebsite.com – 98.99.254.176
| www.admin.targetWebsite.com – 198.105.244.228
| www.admin.targetWebsite.com – 198.105.254.228
| store.targetWebsite.com – 104.16.206.251
| store.targetWebsite.com – 104.16.207.251
| web01.targetWebsite.com – 198.105.244.228
| web01.targetWebsite.com – 198.105.254.228
| cms.targetWebsite.com – 98.99.252.57
| www.old.targetWebsite.com – 198.105.244.228
| www.old.targetWebsite.com – 198.105.254.228
| blog.targetWebsite.com – 216.87.148.114
| www2.targetWebsite.com – 207.76.137.99
| webservices.targetWebsite.com – 198.105.244.228
| webservices.targetWebsite.com – 198.105.254.228
| www.video.targetWebsite.com – 198.105.244.228
| www.video.targetWebsite.com – 198.105.254.228
| web4.targetWebsite.com – 198.105.244.228
| web4.targetWebsite.com – 198.105.254.228
| e.targetWebsite.com – 63.149.195.18
| e.targetWebsite.com – 67.134.222.254
| e.targetWebsite.com – 8.33.184.254
| auth.targetWebsite.com – 204.238.150.111
| wwww.targetWebsite.com – 198.105.244.228
| wwww.targetWebsite.com – 198.105.254.228
| help.targetWebsite.com – 98.99.252.46
| jira.targetWebsite.com – 98.99.254.68
| outlook.targetWebsite.com – 98.99.254.66
| www.mail.targetWebsite.com – 198.105.244.228
| www.mail.targetWebsite.com – 198.105.254.228
| MAIL.targetWebsite.com – 98.99.254.8
| www.new.targetWebsite.com – 198.105.244.228
| www.new.targetWebsite.com – 198.105.254.228
| mdm.targetWebsite.com – 192.30.68.141
| origin-www.targetWebsite.com – 104.97.95.87
| sslvpn.targetWebsite.com – 204.238.150.49
| assets.targetWebsite.com – 107.14.46.27
| assets.targetWebsite.com – 107.14.46.35
| www.en.targetWebsite.com – 198.105.244.228
| www.en.targetWebsite.com – 198.105.254.228
| docs.targetWebsite.com – 98.99.254.67
| www.dev.targetWebsite.com – 198.105.244.228
| www.dev.targetWebsite.com – 198.105.254.228
| www.forums.targetWebsite.com – 198.105.244.228
| www.forums.targetWebsite.com – 198.105.254.228
| www.ads.targetWebsite.com – 198.105.244.228
| www.ads.targetWebsite.com – 198.105.254.228
| apps.targetWebsite.com – 12.18.141.21
| www.wiki.targetWebsite.com – 198.105.244.228
| www.wiki.targetWebsite.com – 198.105.254.228
| webconf.targetWebsite.com – 198.105.244.228
| webconf.targetWebsite.com – 198.105.254.228
| ww.targetWebsite.com – 198.105.244.228
| ww.targetWebsite.com – 198.105.254.228
| webcam.targetWebsite.com – 198.105.244.228
| webcam.targetWebsite.com – 198.105.254.228
| www.chat.targetWebsite.com – 198.105.244.228
|_ www.chat.targetWebsite.com – 198.105.254.228

Nmap done: 1 IP address (1 host up) scanned in 62.15 seconds

Par défaut, dns-brute analysera à l’aide de cinq threads simultanés. Nous pouvons augmenter ou diminuer cette valeur avec les dns-brute.threads . En fonction du type de serveur Web, de nombreux threads planteront un serveur ou constitueront un déni de service, ce qui ralentira ou ralentirait le fonctionnement du site Web pour les autres utilisateurs. Ajustez cette valeur avec prudence.

Dns-brute va tenter environ 125 sous-domaines populaires. Nous pouvons utiliser des listes de sous-domaines personnalisées avec l’ argument dns-brute.hostlist . Comme nous pouvons le voir dans le résultat ci-dessus, en utilisant une liste de mots complète , nous avons pu détecter plus de sous-domaines et d’adresses IP contrôlés par ce site Web.