Sublist3r

Task 1 Intro

You can also use this site if you don't want to run Sublist3r: https://dnsdumpster.com/

You can find Sublist3r here! We'll install this in the next task.

No answer needed

Task 2 Installation

no answer needed

no answer needed

no answer needed

no answer needed

Task 3 Switchboard

Task 4 Scans away!

No answer needed

ssologin.stg

office-words

Last updated 5 years ago

hashtagTask 1 Intro

hashtagTask 2 Installation

hashtagFirst, let's change to our opt directory: cd /opt

hashtagNext, let's clone the Sublist3r repository into opt: git clone https://github.com/aboul3la/Sublist3r.gitarrow-up-right

hashtagNow let's move into the Sublist3r directory we've just created: cd /opt/Sublist3r

hashtagFinally, let's install the requirements for running Sublist3r: pip3 install -r requirements.txt

hashtagTask 3 Switchboard

hashtagWhat switch can we use to set our target domain to perform recon on?

hashtagHow about setting which engines we'll use for searching? (i.e. google, bing, etc)

hashtagSaving our output is important both so we don't have to run recon again but also so we can return to our returns and review them at a later time. What switch do we use to define an output file?

hashtagSublist3r can sometimes take some time to run but we can speed through up the use of threads. Which switch allows us to set the number of threads?

hashtagLast but not least, we can also bruteforce the domains for our target. This isn't always the most useful, however, it can sometimes find a key domain that we might have missed. What switch allows us to enable brute forcing?

hashtagTask 4 Scans away!

hashtagLet's run sublist3r now against nbc.com, a fairly large American news company. Run this now with the command: python3 sublist3r.py -d nbc.com -o sub-output-nbc.txt

hashtagOnce that completes open up your results and take a look through them. Email domains are almost always interesting and typically have an email portal (usually Outlook) located at them. Which subdomain is likely the email portal?

hashtagAdministrative control panels should never be exposed to the internet! Which subdomain is exposed that shouldn't be?

hashtagCompany blogs can sometimes reveal information about internal activities, which subdomain has the company blog at it?

hashtagDevelopment sites are often vulnerable to information disclosure or full-blown attacks. Two developer sites are exposed, which one is associated directly with web development?

hashtagCustomer and employee help desk portals can often reveal internal nomenclature and other potentially sensitive information, which dns record might be a helpdesk portal?

hashtagSingle sign-on is a feature commonly used in corporate domains, which dns record is directly associated with this feature? Include both parts of this subdomain separated by a period.

hashtagOne last one for fun. NBC produced a popular sitcom about typical office work environment, which dns record might be associated with this show?

Task 1 Intro

Task 2 Installation

First, let's change to our opt directory: cd /opt

Next, let's clone the Sublist3r repository into opt: git clone https://github.com/aboul3la/Sublist3r.git

Now let's move into the Sublist3r directory we've just created: cd /opt/Sublist3r

Finally, let's install the requirements for running Sublist3r: pip3 install -r requirements.txt

Task 3 Switchboard

What switch can we use to set our target domain to perform recon on?

How about setting which engines we'll use for searching? (i.e. google, bing, etc)

Saving our output is important both so we don't have to run recon again but also so we can return to our returns and review them at a later time. What switch do we use to define an output file?

Sublist3r can sometimes take some time to run but we can speed through up the use of threads. Which switch allows us to set the number of threads?

Last but not least, we can also bruteforce the domains for our target. This isn't always the most useful, however, it can sometimes find a key domain that we might have missed. What switch allows us to enable brute forcing?

Task 4 Scans away!

Let's run sublist3r now against nbc.com, a fairly large American news company. Run this now with the command: python3 sublist3r.py -d nbc.com -o sub-output-nbc.txt

Once that completes open up your results and take a look through them. Email domains are almost always interesting and typically have an email portal (usually Outlook) located at them. Which subdomain is likely the email portal?

Administrative control panels should never be exposed to the internet! Which subdomain is exposed that shouldn't be?

Company blogs can sometimes reveal information about internal activities, which subdomain has the company blog at it?

Development sites are often vulnerable to information disclosure or full-blown attacks. Two developer sites are exposed, which one is associated directly with web development?

Customer and employee help desk portals can often reveal internal nomenclature and other potentially sensitive information, which dns record might be a helpdesk portal?

Single sign-on is a feature commonly used in corporate domains, which dns record is directly associated with this feature? Include both parts of this subdomain separated by a period.

One last one for fun. NBC produced a popular sitcom about typical office work environment, which dns record might be associated with this show?