Les sous-domaines sont souvent utilisés pour héberger des sites Web supplémentaires pour un sous-ensemble d’utilisateurs spécifique.
Les sous-domaines populaires incluent m.facebook.com, mobile .twitter.com et développeur .github.com.
Ces sous-domaines sont utiles aux pirates car le sous-domaine et le domaine principal peuvent en fait être hébergés sur des serveurs privés virtuels complètement différents, dans différentes parties du monde, et peuvent ne pas exercer le même degré de sécurité.
Le script dns-brute intégré à Nmap est conçu pour énumérer les sous-domaines et leurs adresses IP de serveur correspondantes.
nmap -p80,443 --script dns-brute targetWebsite.com
Starting Nmap 7.70 ( https://nmap.org )
Nmap scan report for targetWebsite.com
Host is up (0.16s latency).
PORT STATE SERVICE
80/tcp open http
443/tcp open https
Host script results:
| dns-brute:
| DNS Brute-force hostnames:
| http.targetWebsite.com - 198.105.244.228
| http.targetWebsite.com - 198.105.254.228
| mysql.targetWebsite.com - 198.105.244.228
| mysql.targetWebsite.com - 198.105.254.228
| news.targetWebsite.com - 104.17.202.106
| news.targetWebsite.com - 104.17.203.106
| news.targetWebsite.com - 104.17.204.106
| news.targetWebsite.com - 104.17.205.106
| news.targetWebsite.com - 104.17.206.106
| app.targetWebsite.com - 104.97.95.87
| apps.targetWebsite.com - 12.18.141.21
| web.targetWebsite.com - 198.105.244.228
| web.targetWebsite.com - 198.105.254.228
| auth.targetWebsite.com - 204.238.150.111
| web2test.targetWebsite.com - 198.105.244.228
| web2test.targetWebsite.com - 198.105.254.228
| beta.targetWebsite.com - 98.99.252.42
| id.targetWebsite.com - 98.99.254.9
| blog.targetWebsite.com - 216.87.148.114
| www.targetWebsite.com - 104.97.95.87
| www2.targetWebsite.com - 207.76.137.99
| cms.targetWebsite.com - 98.99.252.57
| ldap.targetWebsite.com - 98.99.254.57
| owa.targetWebsite.com - 98.99.252.118
| sip.targetWebsite.com - 199.233.179.46
| mail.targetWebsite.com - 98.99.254.8
| mobile.targetWebsite.com - 216.87.148.114
| help.targetWebsite.com - 98.99.252.46
| home.targetWebsite.com - 198.105.244.228
|_ home.targetWebsite.com - 198.105.254.228
Nmap done: 1 IP address (1 host up) scanned in 32.62 seconds
Ce site Web particulier a de nombreux sous-domaines configurés et ne partagent pas tous la même adresse IP. À ce stade, un testeur de pénétration peut étendre davantage sa reconnaissance aux serveurs récemment découverts sous le contrôle de ce site Web.
Vous trouverez ci-dessous une commande dns-brute qui comporte plusieurs –script-args .
nmap -p80,443 –script dns-brute –script-args dns-brute.threads=25,dns-brute.hostlist=/root/Desktop/custom-subdomain-wordlist.txt targetWebsite.comStarting Nmap 7.70 ( https://nmap.org )
Nmap scan report for targetWebsite.com
Host is up (0.17s latency).PORT STATE SERVICE
80/tcp open http
443/tcp open httpsHost script results:
| dns-brute:
| DNS Brute-force hostnames:
| www7.targetWebsite.com – 198.105.244.228
| www7.targetWebsite.com – 198.105.254.228
| www.targetWebsite.com – 104.97.95.87
| webdisk.test.targetWebsite.com – 198.105.244.228
| webdisk.test.targetWebsite.com – 198.105.254.228
| www4.targetWebsite.com – 198.105.244.228
| www4.targetWebsite.com – 198.105.254.228
| www1.targetWebsite.com – 198.105.244.228
| www1.targetWebsite.com – 198.105.254.228
| app.targetWebsite.com – 104.97.95.87
| mail.targetWebsite.com – 98.99.254.8
| www.m.targetWebsite.com – 198.105.244.228
| www.m.targetWebsite.com – 198.105.254.228
| meet.targetWebsite.com – 199.233.179.60
| members.targetWebsite.com – 52.85.88.11
| members.targetWebsite.com – 52.85.88.178
| members.targetWebsite.com – 52.85.88.184
| members.targetWebsite.com – 52.85.88.186
| webmail2.targetWebsite.com – 198.105.244.228
| webmail2.targetWebsite.com – 198.105.254.228
| ww2.targetWebsite.com – 198.105.244.228
| ww2.targetWebsite.com – 198.105.254.228
| sip.targetWebsite.com – 199.233.179.46
| www.beta.targetWebsite.com – 198.105.244.228
| www.beta.targetWebsite.com – 198.105.254.228
| news.targetWebsite.com – 104.17.202.106
| news.targetWebsite.com – 104.17.203.106
| news.targetWebsite.com – 104.17.204.106
| news.targetWebsite.com – 104.17.205.106
| news.targetWebsite.com – 104.17.206.106
| www.news.targetWebsite.com – 198.105.244.228
| www.news.targetWebsite.com – 198.105.254.228
| www.shop.targetWebsite.com – 198.105.244.228
| www.shop.targetWebsite.com – 198.105.254.228
| portal.targetWebsite.com – 192.237.142.31
| preview.targetWebsite.com – 104.97.95.87
| search.targetWebsite.com – 98.99.252.118
| www.support.targetWebsite.com – 198.105.244.228
| www.support.targetWebsite.com – 198.105.254.228
| api.targetWebsite.com – 98.99.252.56
| share.targetWebsite.com – 69.28.231.168
| mobile.targetWebsite.com – 216.87.148.114
| lyncdiscover.targetWebsite.com – 199.233.179.60
| mysql.targetWebsite.com – 198.105.244.228
| mysql.targetWebsite.com – 198.105.254.228
| owa.targetWebsite.com – 98.99.252.118
| webdisk.forum.targetWebsite.com – 198.105.244.228
| webdisk.forum.targetWebsite.com – 198.105.254.228
| www.blog.targetWebsite.com – 198.105.244.228
| www.blog.targetWebsite.com – 198.105.254.228
| beta.targetWebsite.com – 98.99.252.42
| partner.targetWebsite.com – 98.99.252.118
| a.targetWebsite.com – 63.149.195.18
| a.targetWebsite.com – 67.134.222.254
| a.targetWebsite.com – 8.33.184.254
| blogs.targetWebsite.com – 98.99.252.176
| webdisk.m.targetWebsite.com – 198.105.244.228
| webdisk.m.targetWebsite.com – 198.105.254.228
| webdisk.demo.targetWebsite.com – 198.105.244.228
| webdisk.demo.targetWebsite.com – 198.105.254.228
| ldap.targetWebsite.com – 98.99.254.57
| www.webmail.targetWebsite.com – 198.105.244.228
| www.webmail.targetWebsite.com – 198.105.254.228
| webmail.targetWebsite.com – 98.99.254.8
| web3.targetWebsite.com – 198.105.244.228
| web3.targetWebsite.com – 198.105.254.228
| community.targetWebsite.com – 216.87.148.114
| webmail.cp.targetWebsite.com – 198.105.244.228
| webmail.cp.targetWebsite.com – 198.105.254.228
| www.demo.targetWebsite.com – 198.105.244.228
| www.demo.targetWebsite.com – 198.105.254.228
| remote.targetWebsite.com – 216.87.148.114
| my.targetWebsite.com – 198.105.244.228
| my.targetWebsite.com – 198.105.254.228
| webdisk.dev.targetWebsite.com – 198.105.244.228
| webdisk.dev.targetWebsite.com – 198.105.254.228
| www.forum.targetWebsite.com – 198.105.244.228
| www.forum.targetWebsite.com – 198.105.254.228
| webdisk.targetWebsite.com – 198.105.244.228
| webdisk.targetWebsite.com – 198.105.254.228
| www.test.targetWebsite.com – 198.105.244.228
| www.test.targetWebsite.com – 198.105.254.228
| www.mobile.targetWebsite.com – 198.105.244.228
| www.mobile.targetWebsite.com – 198.105.254.228
| web1.targetWebsite.com – 198.105.244.228
| web1.targetWebsite.com – 198.105.254.228
| relay.targetWebsite.com – 98.99.254.28
| web2.targetWebsite.com – 198.105.244.228
| web2.targetWebsite.com – 198.105.254.228
| web.targetWebsite.com – 198.105.244.228
| web.targetWebsite.com – 198.105.254.228
| dialin.targetWebsite.com – 199.233.179.60
| jobs.targetWebsite.com – 216.87.148.114
| webdisk.blog.targetWebsite.com – 198.105.244.228
| webdisk.blog.targetWebsite.com – 198.105.254.228
| home.targetWebsite.com – 198.105.244.228
| home.targetWebsite.com – 198.105.254.228
| www3.targetWebsite.com – 198.105.244.228
| www3.targetWebsite.com – 198.105.254.228
| www.store.targetWebsite.com – 104.16.53.60
| www.store.targetWebsite.com – 104.16.54.60
| www6.targetWebsite.com – 198.105.244.228
| www6.targetWebsite.com – 198.105.254.228
| www.my.targetWebsite.com – 198.105.244.228
| www.my.targetWebsite.com – 198.105.254.228
| www5.targetWebsite.com – 198.105.244.228
| www5.targetWebsite.com – 198.105.254.228
| autodiscover.targetWebsite.com – 98.99.254.176
| www.admin.targetWebsite.com – 198.105.244.228
| www.admin.targetWebsite.com – 198.105.254.228
| store.targetWebsite.com – 104.16.206.251
| store.targetWebsite.com – 104.16.207.251
| web01.targetWebsite.com – 198.105.244.228
| web01.targetWebsite.com – 198.105.254.228
| cms.targetWebsite.com – 98.99.252.57
| www.old.targetWebsite.com – 198.105.244.228
| www.old.targetWebsite.com – 198.105.254.228
| blog.targetWebsite.com – 216.87.148.114
| www2.targetWebsite.com – 207.76.137.99
| webservices.targetWebsite.com – 198.105.244.228
| webservices.targetWebsite.com – 198.105.254.228
| www.video.targetWebsite.com – 198.105.244.228
| www.video.targetWebsite.com – 198.105.254.228
| web4.targetWebsite.com – 198.105.244.228
| web4.targetWebsite.com – 198.105.254.228
| e.targetWebsite.com – 63.149.195.18
| e.targetWebsite.com – 67.134.222.254
| e.targetWebsite.com – 8.33.184.254
| auth.targetWebsite.com – 204.238.150.111
| wwww.targetWebsite.com – 198.105.244.228
| wwww.targetWebsite.com – 198.105.254.228
| help.targetWebsite.com – 98.99.252.46
| jira.targetWebsite.com – 98.99.254.68
| outlook.targetWebsite.com – 98.99.254.66
| www.mail.targetWebsite.com – 198.105.244.228
| www.mail.targetWebsite.com – 198.105.254.228
| MAIL.targetWebsite.com – 98.99.254.8
| www.new.targetWebsite.com – 198.105.244.228
| www.new.targetWebsite.com – 198.105.254.228
| mdm.targetWebsite.com – 192.30.68.141
| origin-www.targetWebsite.com – 104.97.95.87
| sslvpn.targetWebsite.com – 204.238.150.49
| assets.targetWebsite.com – 107.14.46.27
| assets.targetWebsite.com – 107.14.46.35
| www.en.targetWebsite.com – 198.105.244.228
| www.en.targetWebsite.com – 198.105.254.228
| docs.targetWebsite.com – 98.99.254.67
| www.dev.targetWebsite.com – 198.105.244.228
| www.dev.targetWebsite.com – 198.105.254.228
| www.forums.targetWebsite.com – 198.105.244.228
| www.forums.targetWebsite.com – 198.105.254.228
| www.ads.targetWebsite.com – 198.105.244.228
| www.ads.targetWebsite.com – 198.105.254.228
| apps.targetWebsite.com – 12.18.141.21
| www.wiki.targetWebsite.com – 198.105.244.228
| www.wiki.targetWebsite.com – 198.105.254.228
| webconf.targetWebsite.com – 198.105.244.228
| webconf.targetWebsite.com – 198.105.254.228
| ww.targetWebsite.com – 198.105.244.228
| ww.targetWebsite.com – 198.105.254.228
| webcam.targetWebsite.com – 198.105.244.228
| webcam.targetWebsite.com – 198.105.254.228
| www.chat.targetWebsite.com – 198.105.244.228
|_ www.chat.targetWebsite.com – 198.105.254.228Nmap done: 1 IP address (1 host up) scanned in 62.15 seconds
Par défaut, dns-brute analysera à l’aide de cinq threads simultanés. Nous pouvons augmenter ou diminuer cette valeur avec les dns-brute.threads . En fonction du type de serveur Web, de nombreux threads planteront un serveur ou constitueront un déni de service, ce qui ralentira ou ralentirait le fonctionnement du site Web pour les autres utilisateurs. Ajustez cette valeur avec prudence.
Dns-brute va tenter environ 125 sous-domaines populaires. Nous pouvons utiliser des listes de sous-domaines personnalisées avec l’ argument dns-brute.hostlist . Comme nous pouvons le voir dans le résultat ci-dessus, en utilisant une liste de mots complète , nous avons pu détecter plus de sous-domaines et d’adresses IP contrôlés par ce site Web.