Hunting subdomains is quite important when performing a web application penetration test. To start with, it would be okay to understand what domains are and then understand what subdomains are. The most simple way to understand what domain names are is to see them as an address people type into a web browser’s URL bar to visit a website. Domain names also get registered with domain name registrars. Now we know that domain names are just like google, youtube, and tobididit. Now that we understand what domain names are, it is only proper to dive into what subdomains are and why we even need to hunt them as this is what the topic focuses on basically. Subdomains can be best understood by seeing them as a little or smaller part of a domain that is much larger. It is basically a unique set of word used in creating a unique web address. Why websites have subdomains when a domain is functional is a good question to have at this point. The answer is not far-fetched, website owners tend to use it to send people to a different web address and also used to target a specific country most of the time. Suppose a big brand like Cocacola that has a headquarters in the USA has a market in Swaziland where the official language is Swazi, it would be considered unfair to them if all of Coca-Cola’s content is written in the English language, if they need to order by calling USA number and if prices are displayed using US dollar. with the help of a subdomain, Coca-Cola’s URL displaying content tailored for the people of Swaziland might be www. sz.cocacola.com.Furthermore, another thing that should be noted is knowing about a wildcard subdomain. A wildcard subdomain is also called a catch-all subdomain and this can be understood by the name it’s called. A catch-all subdomain means whether a subdomain exists or it doesn’t, it redirects us to a specific domain name.
Now I’m sure you’re being curious about why we are doing this when we’re gathering information. Subdomain hunting is very necessary because we might run into a subdomain that contains information that shouldn’t be seen by us. This might be dev.donotsee.com testsite.donotsee.com & hunting subdomains during a web app pentest is important because looking at only a domain name without checking out the subdomains means getting limited to information gathered.
A tool to use for this that does the job is sublister. & also crt.sh
Work with owasp amass as well. Tomnonnom probe
Below are videos reviewing these tools and also, be kind enough to like the video, subscribe to the channel, and also leave a comment if you find it helpful.
