Step 4: Finding subdomains in bug bounty
Welcome to the 4th post of the 6M Challenge of Bug Bounty edition where you will find subdomains, your first digging into bug bounty.
First of all join us on the discord channel, where we have created different sub-channel for 6M participants to solve their doubts and have an interaction with the community. Go to #self-roles and tap on that animated heart to join the 6M sub-channel. Link: https://discord.gg/CZuS9Fh
Now I hope that you have finished the tasks given in the previous post, i.e.:
- Go through the HackerOne website and explore each and every option that we discussed in this post
- Read the previous reports that are made public, so that you will get an idea.
Firstly, we will be starting with Web Application Security testing because they’re easier to learn and require minimal tools to start testing on.
understanding the domain system
Once I select the program that I want to test, I will check their domain. For example – Take Facebook as of now. What do you think when I say “Website of Facebook”… facebook.com? Well, good start. But there’s more to it. There are subdomains of websites, like developers.facebook.com, code.facebook.com, etc.
See, we can directly start testing for bugs on facebook.com as well, but having knowledge about subdomains like these expands our surface for testing. That means, we can start testing on developers.facebook.com alongside the main website, facebook.com.
how to find subdomains manually?
There are manual methods like “Google Dorks” to find subdomains of a website. There are tools to make our work easy as well, but it’s important to know the manual method too, also Google Dork is a great method in general, so you should know how to use it.
Go to https://medium.com/@wshacked/finding-subdomain-using-google-dorks-6ced4cc19839, and read the article to learn how to find subdomains of a website using google dorks.
how to find subdomains by using a tool?
Let’s use a tool to find subdomains of a website.
- Open Kali Linux in virtual box OR if you have Kali has default OS.
- Right-click anywhere on desktop, click on “Open Terminal here”. Terminal will open.
- Type this command in the terminal – “
sudo apt install python3-pip
” and hit enter, it will ask for password, enter the password “kali” if you’ve not changed the default password. - Next, run these commands one by one:
git clone https://github.com/aboul3la/Sublist3r.git
pip install requests
pip install argparse
pip install dnspython
cd Sublist3r
git clone https://github.com/rthalley/dnspython
cd dnspython
sudo python3 setup.py install
These commands will install the libraries and applications which are needed for our tool to run.
understanding the commands
- Our tool was present on Github, so we cloned our tool from GitHub into our computer using the “
git clone"
command. - “
sudo
” is a way to run commands in Kali as ADMINISTRATOR, so that you have all the permissions you need to any task. - “
apt install
” is a command used to tell system to install something from repository of Kali Linux. In our case, we installed python3-pi
pip is a library repository of python, which means every python library which we need, is present in a big database of libraries called “pip” that’s why we installed pip. Using pip, we installed three libraries.
- When we right-clicked and clicked on “Open Terminal here”, we opened terminal on the desktop.
- “
cd Sublist3r
” takes us from Desktop to the folder of Sublist3r (our tool).
We install another requirement of our tool, although this requirement is often already present in Kali, sometimes it throws an error. So to avoid that, we‘re installing dnspython in the place it’s needed.
Now that these tools are installed. Right-click anywhere on the desktop, click on “Open Terminal Here”, again. Run this command – “cd Sublist3r
“
Finally, run this command- “python3 sublist3r.py -d facebook.com
“. Wait for a while, a screen will appear and in a few more seconds, we’ll have a list of subdomains of facebook.com. You can replace facebook.com with any other domain and find its subdomains as we did earlier.
Install all these libraries, tools and learn how to use Sublist3r. Now you know how to find subdomains. We can start our next step of bug hunting aka penetration testing aka hacking in the next post. Till then work on the tasks explained in this post.
tasks to be completed:
- Practicing finding subdomains manually
- Finding subdomains by using the tool in Kali Linux
- Learn about sublist3r