Vertical and Horizontal Domain Co-Relation
There is something also known as sub-sub domain.
To understand about subdomain enumeration so you will see how you can
enumerate a subdomains what is the difference between a vertical doing
co-relation and horizontal domain co-relation so that is something which is
also known as sub-sub domain that we discussed about in the previous blog so
let's quickly understand about vertical domain co-relation so all sub domains
of a domain for example let's say google.com so one of the sub domains of
google.com will be match start google.com this is example of vertical domain
correlation which means any subdomain of a particular base domain or top level
domain where is in horizontal domain correlation if contains the acquisitions
of the top level domain of the base domain for example google.cz, youtube.com,
blogger.com all of these are the products of Google which means they are some
other way connected to the base domain with the top of the organisation which
basically means anything that aquired by google as a entity is considered to
be horizontal domain co-relation now is it really important or would that to
identify security flaws into the acquisitions by any parent organisation.
Vertical Domain Co-relation
All the subdomain of a domain of google.com (maps.google.com) -> All subdomain of a particular base domain.
Horizontal Domain Co-relation
Acquisitions of, google.cz, youtube.com, blogger.com -> anything that is
acquired by google as entity.
Yes there are many examples of bug bounty programs where an acquisitions are
also considered to be an scope for instance Facebook is a runs about bounty
program Facebook runs a bug bounty program which also includes on of it
acquisitions similarly Google also includes all of it acquisitions into the
bug bounty program similarly Apple also includes all the acquisitions under
its bug bounty program and so on so as of now we have understood about
vertical domain correlation, horizontal domain correlation so how do we
actually identify these types of domains or sub-domains.
There
are some of the open source tools that can be used to identify this and we are
going to use most of them into the next upcoming blog so I like to use a
subfinder because it is written in go language and and because of its speed
and con-currency it is considered to be one of the fastest tool to identify
sub domains for any given target.
There are multiple tools
that can be used to identify some domains like Amass, Sublist3r, Aquatone or
Knockpy but at the end the going to get the same results from all of them So,
they basically want to save our time so we are going to use subfinder in the
upcoming blog when we will identify multiple supplement in a lesser span of
time.
Subdomains for Recon
Subfinder - https://github.com/subfinder/subfinder
Amass - https://github.com/caffix/amass
Sublister - https://github.com/aboul3la/Sublist3r
Aquatone - https://github.com/michenriksen/aquatone
Knockpy - https://github.com/guelfoweb/knock
So in addition to the finder I also like to find subdomains manually because that is the time that we may get a new subdomain for any target for that we are going to use crt.sh which basically is the certificates transparency log in which if any new certificate has been assigned to a top level domain or its subdomain you are going to know about that.
Second is censys.io which is in iot connected search engine
from where we can also identify given sub domains for any target similar to
censys is Shodan.io I run it is again internet-connected search engine where
we can identify about multiple targets and their subdomains Google certificate
transparency log is again the certificate lock from which we can identify the
sub domains for any given target Facebook certificate transparency is similar
like Google certificate transparency when we can identify subdomains based on
the certificate blocks you can also identify sub domains using CSP Header you
can also identify sub domain based on the DNS record by using view
viewdns.info website, dnsdumpster.com as well as virustotal.com.
I also like to find the subs manually from -
crt.sh
censys.io
shodan.io
Google certificate transparency
Facebook certificate transparency
CSP header
viewdns.info
dnsdumpster.com
virustotal.com
Disclaimer
All tutorials are for informational and educational purposes only and have been made using our own routers, servers, websites and other vulnerable free resources. we do not contain any illegal activity. We believe that ethical hacking, information security and cyber security should be familiar subjects to anyone using digital information and computers. Hacking Truth is against misuse of the information and we strongly suggest against it. Please regard the word hacking as ethical hacking or penetration testing every time this word is used. We do not promote, encourage, support or excite any illegal activity or hacking.
- Hacking Truth by Kumar Atul Jaiswal