LabEx
Log InJoin Free

Perform a Basic DNS Subdomain Scan in Gobuster

Beginner
Practice Now

Introduction

In the realm of cybersecurity and penetration testing, discovering subdomains is a crucial step in reconnaissance. Subdomains often host different applications, services, or development environments that might expose additional attack surfaces or vulnerabilities not present on the main domain. Gobuster is a popular tool used for brute-forcing URIs (directories and files), DNS subdomains, Amazon S3 buckets, and virtual host names.

This lab will guide you through the process of performing a basic DNS subdomain scan using Gobuster. You will learn how to select a target, choose an effective wordlist, construct the Gobuster command with the necessary flags, execute the scan, and interpret the results to identify active subdomains. By the end of this lab, you will have a foundational understanding of how to leverage Gobuster for subdomain enumeration, a vital skill for any security professional or enthusiast.

Select a Target Domain

In this step, you will select a target domain for your subdomain scan. For educational purposes, we will use scanme.nmap.org as our target. This domain is provided by Nmap for testing purposes and is safe to scan.

First, ensure Gobuster is installed. If it's not, you can install it using apt.

sudo apt update
sudo apt install -y gobuster

After installation, you can verify the installation by checking its version:

gobuster -v

You should see output similar to this, indicating Gobuster is installed:

gobuster v3.x

Now, let's confirm our target domain. We will use scanme.nmap.org.

echo "Our target domain is: scanme.nmap.org"

This command simply prints the target domain to your terminal, confirming your selection.

Choose a Wordlist for Subdomains

In this step, you will choose a suitable wordlist for your subdomain scan. A wordlist is a file containing a list of common subdomain names (e.g., www, mail, dev, admin). Gobuster will attempt to resolve each name in the wordlist combined with your target domain (e.g., www.scanme.nmap.org, mail.scanme.nmap.org).

For this lab, we will use a common wordlist often found in penetration testing distributions, or we can download one. We will use the dns.txt wordlist from the SecLists project, which is a good general-purpose list for DNS enumeration.

First, let's ensure we have the SecLists repository cloned or a similar wordlist available. If not, we can download a specific wordlist.

wget -nc https://raw.githubusercontent.com/danielmiessler/SecLists/master/Discovery/DNS/dns.txt -P ~/project/

The -nc flag ensures that wget will not re-download the file if it already exists, which is useful if you run the command multiple times. The -P ~/project/ flag specifies the directory to save the file.

After downloading, verify that the wordlist file exists in your ~/project/ directory:

ls -l ~/project/dns.txt

You should see output similar to this, confirming the file's presence:

-rw-r--r-- 1 labex labex XXXX Month Day HH:MM ~/project/dns.txt

This confirms that dns.txt is ready to be used as our wordlist.

Construct the Basic gobuster dns Command

In this step, you will construct the basic Gobuster command for performing a DNS subdomain scan. Gobuster uses different modes for different types of brute-forcing. For DNS subdomain enumeration, we use the dns mode.

The essential flags for a DNS scan are:

  • -d: Specifies the target domain.
  • -w: Specifies the path to the wordlist.

So, the basic command structure will be gobuster dns -d <target_domain> -w <wordlist_path>.

Let's assemble the command using our chosen target scanme.nmap.org and the wordlist ~/project/dns.txt.

echo "The Gobuster command will be: gobuster dns -d scanme.nmap.org -w ~/project/dns.txt"

This command will print the full Gobuster command you are about to execute. Understanding the command before running it is crucial for effective use of any tool.

Execute the Scan with -d and -w Flags

In this step, you will execute the Gobuster DNS subdomain scan using the command constructed in the previous step. This will initiate the brute-forcing process, where Gobuster attempts to resolve each entry in the wordlist as a subdomain of the target domain.

Execute the following command in your terminal:

gobuster dns -d scanme.nmap.org -w ~/project/dns.txt

As the scan runs, Gobuster will display the subdomains it successfully resolves. The output will show the resolved subdomains along with their IP addresses.

Example output:

===============================================================
Gobuster v3.x
===============================================================
[+] Url: scanme.nmap.org
[+] Threads: 10
[+] Wordlist: /home/labex/project/dns.txt
[+] Status codes: 200,204,301,302,307,401,403,405,500
[+] Timeout: 10s
===============================================================
2024/01/01 12:00:00 Starting gobuster in DNS mode
===============================================================
Found: www.scanme.nmap.org (XXX.XXX.XXX.XXX)
Found: test.scanme.nmap.org (XXX.XXX.XXX.XXX)
Found: mail.scanme.nmap.org (XXX.XXX.XXX.XXX)
...

The scan might take some time depending on the size of the wordlist and network conditions. Let it complete to get a comprehensive list of found subdomains.

Analyze the List of Found Subdomains

In this final step, you will analyze the output from the Gobuster scan. The Found: lines in the output indicate successfully resolved subdomains. These are the subdomains that exist and have corresponding DNS records.

Review the output from the previous step. Look for lines starting with Found: followed by a subdomain and its IP address.

For example, you might see:

  • Found: www.scanme.nmap.org (XXX.XXX.XXX.XXX)
  • Found: test.scanme.nmap.org (XXX.XXX.XXX.XXX)
  • Found: mail.scanme.nmap.org (XXX.XXX.XXX.XXX)

Each of these represents a potential entry point or an interesting asset related to the target domain. In a real-world scenario, you would then investigate these subdomains further, perhaps by visiting them in a web browser, performing port scans, or looking for web vulnerabilities.

To confirm you have analyzed the output, let's check for a common subdomain like www.

echo "Look for 'www.scanme.nmap.org' in the Gobuster output."

This step emphasizes the importance of reviewing the results of your reconnaissance tools. The raw output from Gobuster provides valuable information that can guide your subsequent security assessments.

Summary

In this lab, you successfully performed a basic DNS subdomain scan using Gobuster. You learned how to:

  • Select a target domain (scanme.nmap.org).
  • Choose and download an appropriate wordlist (dns.txt).
  • Construct the Gobuster command using the dns mode and the -d (domain) and -w (wordlist) flags.
  • Execute the scan and observe the real-time output of discovered subdomains.
  • Analyze the results to identify active subdomains and understand their significance.

This foundational skill is crucial for reconnaissance in cybersecurity, allowing you to expand your understanding of a target's attack surface. You can further enhance your Gobuster scans by experimenting with different wordlists, increasing the number of threads (-t), or specifying custom DNS servers (--resolver).