Vertical and Horizontal Domain Co-Relation
There is something also known as sub-sub domain.
To understand about subdomain enumeration so you will see how you can enumerate a subdomains what is the difference between a vertical doing co-relation and horizontal domain co-relation so that is something which is also known as sub-sub domain that we discussed about in the previous blog so let's quickly understand about vertical domain co-relation so all sub domains of a domain for example let's say google.com so one of the sub domains of google.com will be match start google.com this is example of vertical domain correlation which means any subdomain of a particular base domain or top level domain where is in horizontal domain correlation if contains the acquisitions of the top level domain of the base domain for example google.cz, youtube.com, blogger.com all of these are the products of Google which means they are some other way connected to the base domain with the top of the organisation which basically means anything that aquired by google as a entity is considered to be horizontal domain co-relation now is it really important or would that to identify security flaws into the acquisitions by any parent organisation.
Vertical Domain Co-relation
All the subdomain of a domain of google.com (maps.google.com) -> All subdomain of a particular base domain.
Horizontal Domain Co-relation
Acquisitions of, google.cz, youtube.com, blogger.com -> anything that is acquired by google as entity.
Yes there are many examples of bug bounty programs where an acquisitions are also considered to be an scope for instance Facebook is a runs about bounty program Facebook runs a bug bounty program which also includes on of it acquisitions similarly Google also includes all of it acquisitions into the bug bounty program similarly Apple also includes all the acquisitions under its bug bounty program and so on so as of now we have understood about vertical domain correlation, horizontal domain correlation so how do we actually identify these types of domains or sub-domains.
There are some of the open source tools that can be used to identify this and we are going to use most of them into the next upcoming blog so I like to use a subfinder because it is written in go language and and because of its speed and con-currency it is considered to be one of the fastest tool to identify sub domains for any given target.
There are multiple tools that can be used to identify some domains like Amass, Sublist3r, Aquatone or Knockpy but at the end the going to get the same results from all of them So, they basically want to save our time so we are going to use subfinder in the upcoming blog when we will identify multiple supplement in a lesser span of time.
Subdomains for Recon
Subfinder - https://github.com/subfinder/subfinder
Amass - https://github.com/caffix/amass
Sublister - https://github.com/aboul3la/Sublist3r
Aquatone - https://github.com/michenriksen/aquatone
Knockpy - https://github.com/guelfoweb/knock
So in addition to the finder I also like to find subdomains manually because that is the time that we may get a new subdomain for any target for that we are going to use crt.sh which basically is the certificates transparency log in which if any new certificate has been assigned to a top level domain or its subdomain you are going to know about that.
Second is censys.io which is in iot connected search engine from where we can also identify given sub domains for any target similar to censys is Shodan.io I run it is again internet-connected search engine where we can identify about multiple targets and their subdomains Google certificate transparency log is again the certificate lock from which we can identify the sub domains for any given target Facebook certificate transparency is similar like Google certificate transparency when we can identify subdomains based on the certificate blocks you can also identify sub domains using CSP Header you can also identify sub domain based on the DNS record by using view viewdns.info website, dnsdumpster.com as well as virustotal.com.
I also like to find the subs manually from -
crt.sh
censys.io
shodan.io
Google certificate transparency
Facebook certificate transparency
CSP header
viewdns.info
dnsdumpster.com
virustotal.com
Disclaimer
All tutorials are for informational and educational purposes only and have been made using our own routers, servers, websites and other vulnerable free resources. we do not contain any illegal activity. We believe that ethical hacking, information security and cyber security should be familiar subjects to anyone using digital information and computers. Hacking Truth is against misuse of the information and we strongly suggest against it. Please regard the word hacking as ethical hacking or penetration testing every time this word is used. We do not promote, encourage, support or excite any illegal activity or hacking.
- Hacking Truth by Kumar Atul Jaiswal