Subscribe by RSS RSS Icon
Follow me on Twitter Twitter Icon

Domain Enumeration Techniques

Sometimes when doing penetration testing, you are provided with very minimum information such as the domain name of the target. Obviously, having one target address will most likely reduce your chances of penetrating the network. One of the techniques you can use to expand your target list is domain enumeration. This technique is used to gather as much information as possible about the target domain.

This method is known as passive information gathering because it is non-intrusive. We are not actively probing the target network but instead using publicly available information on the Internet. There are several ways to do this but I'm going to share with you the ones that I normally used. I would usually start with the online tools to enumerate the target domain. Let say your target domain name is

Google: hacker's best friend
Using search string "allinurl: -www" to return the result of all domain names associated with the target.

Netcraft DNS search function

Checks domains for existing subdomains and hostnames.

Next, I will use enumeration tools that are available in BackTrack.

Tool for gathering e-mail accounts, user names and hostnames/subdomains from different public sources.
./ -d -b bing

Multithreaded perl script to enumerate DNS information on a domain and to discover non-contiguous ip blocks.
./ --enum -f dns.txt

Fierce is a semi-lightweight scanner that helps locate non-contiguous IP space and hostnames against specified domains.
 ./fierce -dns -wordlist host.txt

Below you can see a comparison table for result produced from each of the tool.

Next, what we need to do is to validate the result and remove any duplicate records. We started only with one target i.e. but after we have performed domain enumeration, we are presented with plenty of targets to attack.

Cheers :)


Copyright Info.

Only for my personal reference. I do not own any of these materials here. Use it at your own risk!

XHTML/CSS validations
Valid XHTML 1.0 Transitional Valid CSS!