Subdomain Enumeration
Enumerate subdomains via CT logs (crt.sh), passive DNS, subfinder/amass. Expands the attack surface for forgotten apps.
§ Where this technique fits
W-RECON-SUBDOMAIN is catalogued under the Reconnaissance tactic of the offensive-security kill-chain. It appears in 3 approved dossiers in the registry, typically at step 2 on average.
§ Dossiers chaining this technique
- step 1 / 7
Subdomain takeover → cookie theft → account takeover
Dangling CNAME on a corporate subdomain (e.g. mail.target.com → unclaimed Heroku app). Claim it, serve a malicious page, harvest session cookies scoped to *.target.com.
- step 2 / 6
Origin IP bypass → direct attack on backend
Find the real origin IP behind the CDN via CT logs / DNS history / SSL fingerprinting. Connect directly to origin, bypassing WAF + caching + rate-limit; run noisy attacks (SQLi / RCE) that the edge would have blocked.
- step 3 / 6
AXFR → discover shadow-IT staging → exploitable web app
DNS server allows unrestricted AXFR. Pull the full zone, find admin- / staging- / dev- hostnames never linked, hit one with default creds / leftover debug routes.
§ What commonly comes next
- 01Directory & File Bruteforceseen 1×W-RECON-DIRBRUTE · Reconnaissance
- 02Subdomain Takeoverseen 1×W-SUBDOMAIN-TAKEOVER · Initial Access
- 03Tech Stack Fingerprintingseen 1×W-RECON-FINGERPRINT · Reconnaissance