Sublist3r WalkThrough — TryHackMe
[Task #1] — Intro
Reconnaissance, the first step of a pentest, is arguably the most important step. Discovering the total attack surface of your target is critical, especially if you’re performing phishing and miss a portal that you can use to login. Sublist3r is a fantastic python script that allows us to perform quick and easy recon against our target, discovering various subdomains associated with the websites/domains in scope.
Disclaimer! There’s a pretty good chance your ISP isn’t going to like recon activities and neither will most search engines. As such, I’ve provided a text document with the full terminal output from a Sublist3r run as a download for task four. You can still run this program and you’re likely not going to get into trouble, however, you’ll likely have a temporary CAPTCHA imposed on your Google searches for the next hour if you run this script.
You can also use this site if you don’t want to run Sublist3r: https://dnsdumpster.com/
You can find Sublist3r here! We’ll install this in the next task.
No answer needed.
[Task #2] — Installation
The GitHub repository for Sublist3r can be found here: https://github.com/aboul3la/Sublist3r
We’ll be installing Sublist3r in the opt directory, the standard directory for optional package installation on Linux.
You’ll need to have either Python 3.4.x (or higher) or Python 2.7.x installed. We’ll be using Python 3 commands for this room.
Step 1: Let’s change your directory to opt.
Step 2: Next, let’s clone the Sublist3r repository into opt: git clone https://github.com/aboul3la/Sublist3r.git.
Step 3: Now let’s move into the Sublist3r directory we’ve just created: cd /opt/Sublist3r.
Step 4: Finally, let’s install the requirements for running Sublist3r: pip3 install -r requirements.txt.
[Task #3] — Switchboard.
Sublist3r has a number of switches that we can use to do everything from setting our target domain to changing which engine to use for searching. You can access this via running Sublist3r with only the help switch: -h.
You can check all these switches by typing this command below.
1# What switch can we use to set our target domain to perform recon on?
Answer: -d
2. How about setting which engines we’ll use for searching? (i.e. google, bing, etc).
Answer: -e
3. Saving our output is important both so we don’t have to run recon again but also so we can return to our returns and review them at a later time. What switch do we use to define an output file?
Answer: -o
4. Sublist3r can sometimes take some time to run but we can speed through up the use of threads. Which switch allows us to set the number of threads?
Answer: -t
5. Last but not least, we can also bruteforce the domains for our target. This isn’t always the most useful, however, it can sometimes find a key domain that we might have missed. What switch allows us to enable brute forcing?
Answer: -b
[Task #4] — Scans away!
Time to scan, let’s run Sublit3r against a target company domain and learn about some common domains! You can also run this via the recon tool at https://dnsdumpster.com/ or you can also just download my results from running sublist3r.
1. Let’s run sublist3r now against nbc.com, a fairly large American news company. Run this now with the command: python3 sublist3r.py -d nbc.com -o sub-output-nbc.txt.
No answer needed.
2. Once that completes open up your results and take a look through them. Email domains are almost always interesting and typically have an email portal (usually Outlook) located at them. Which subdomain is likely the email portal?
Answer: mail
3. Administrative control panels should never be exposed to the internet! Which subdomain is exposed that shouldn’t be?
Answer: admin.
4. Company blogs can sometimes reveal information about internal activities, which subdomain has the company blog at it?
Answer: blog
5. Development sites are often vulnerable to information disclosure or full-blown attacks. Two developer sites are exposed, which one is associated directly with web development?
Answer: dev-www
6. Customer and employee help desk portals can often reveal internal nomenclature and other potentially sensitive information, which dns record might be a helpdesk portal?
Answer: help
7. Single sign-on is a feature commonly used in corporate domains, which dns record is directly associated with this feature? Include both parts of this subdomain separated by a period.
Answer: ssologin.stg
8. One last one for fun. NBC produced a popular sitcom about typical office work environment, which dns record might be associated with this show?
Answer: office-words.
Hope it will be helpful.. :)
