Sudomy - Subdomain Enumeration & Analysis

Subdomain Enumeration and Analysis

Introduction

Sudomy is a subdomain enumeration tool, created using a bash script, to analyze domains and collect subdomains in fast and comprehensive way.

How Sudomy Works

Sudomy is using cURL library in order to get the HTTP Response Body from third-party sites to then execute the regular expression to get subdomains. This process fully leverages multi processors, more subdomains will be collected with less time consumption.

The passive technique uses third party resources such as DNSdumpster, WebArchive, Shodan, Total Virus, Certsh, BinaryEdge, SecurityTrails, Certspotter, Censys, Threatminer, Bufferover, Hackertarget, Entrust, ThereatCrowd, and Riddler. To improve the enumeration results sudomy application needs to add an API Key for Shodan, Censys, Total Virus, BinaryEdge, and SecurityTrails in the sudomy.API section. Whereas Active technique uses a combination of the Gobuster application with the wordlist provided by SecLists. SecLists has a collection of approximately three million wordlists.

Features

For recent time, Sudomy has these 13 features:

  • Easy, light, fast and powerful. Bash script is available by default in almost all Linux distributions. By using bash script multiprocessing feature, all processors will be utilized optimally.

  • Subdomain enumeration process can be achieved by using active method or passive method

    • Active Method

      • Sudomy utilize Gobuster tools because of its highspeed performance in carrying out DNS Subdomain Bruteforce attack (wildcard support). The wordlist that is used comes from combined SecList (Discover/DNS) lists which contains around 3 million entries

    • Passive Method

      • By selecting the good third-party sites, the enumeration process can be optimized. More results will be obtained with less time required. Sudomy can collect data from these well-curated 20 third-party sites:

        https://dnsdumpster.com
        https://web.archive.org
        https://shodan.io
        https://virustotal.com
        https://crt.sh
        https://www.binaryedge.io
        https://securitytrails.com
        https://sslmate.com/certspotter
        https://censys.io
        https://threatminer.org
        http://dns.bufferover.run
        https://hackertarget.com
        https://www.entrust.com/ct-search/
        https://www.threatcrowd.org
        https://riddler.io
        https://findsubdomains.com
        https://rapiddns.io/
        https://https://otx.alienvault.com/
        https://index.commoncrawl.org/
        https://urlscan.io
  • Test the list of collected subdomains and probe for working http or https servers. This feature uses a third-party tool, httprobe.

  • Subdomain availability test based on Ping Sweep and/or by getting HTTP status code.

  • The ability to detect virtualhost (several subdomains which resolve to single IP Address). Sudomy will resolve the collected subdomains to IP addresses, then classify them if several subdomains resolve to single IP address. This feature will be very useful for the next penetration testing/bug bounty process. For instance, in port scanning, single IP address won’t be scanned repeatedly

  • Performed port scanning from collected subdomains/virtualhosts IP Addresses

  • Testing Subdomain TakeOver attack

  • Taking Screenshotsof subdomains

  • Identify technologies on websites

  • Data Collecting/Scraping open port from 3rd party (Default::Shodan), For right now just using Shodan [Future::Censys,Zoomeye]. More efficient and effective to collecting port from list ip on target [[ Subdomain > IP Resolver > Crawling > ASN & Open Port ]]

  • Collecting Juicy URL & Extract URL Parameter ( Resource Default::WebArchive, CommonCrawl, UrlScanIO)

  • Report output in HTML or CSV format

Publication

Comparison

The following are the results of passive enumeration DNS testing of Sublist3r, Subfinder, and Sudomy. The domain that is used in this comparison is bugcrowd.com.

Sudomy

Subfinder

Sublister

Testing is done by comparing the sudomy application with other applications such as subfinder and sublist3r with the target domain bugcrowd.com.

https://iopscience.iop.org/article/10.1088/1757-899X/771/1/012019/meta

The sub finder application uses 25 resources, sublist3r uses 11 resources, and sudomy uses 16 resources. The time needed to search for a subdomain from bugcrowd.com, the sub finder application takes 1 minute 38,621s, sublist3r takes 0 minutes 27,216s, and sudomy takes 0 minutes 6,946s. The subdomain results from bugcrowd.com found by the sub finder application are 25 subdomains, sublist3r are 23 subdomains, and sudomy is 49 subdomains. The results of enumeration looking for the bugcrowd.com subdomain using the sub finder, sublist3r, and sudomy applications can be seen in table 3. To further speed up the enumeration process and save CPU, RAM, and bandwidth, you can use third party resources as needed.