How I Built My 4th Level Deeper Subdomain Enumeration VAPT Automation Script Tool | Offensive Security, Red Team

Subh Dhungana
5 min readMay 17, 2023

--

In this article, I share my journey of developing DeepSubh, a powerful subdomain enumeration automation script that does subdomain enumeration upto 4th level deeper. Generally we ignore deeper level subdomain enumeration while doing vapt stuffs or bug bounty. But, it is one of the important phase to find hidden endpoints and as they say in bug bounty, non-duplicate bugs. I provide a detailed explanation of the code and its functionality, breaking it down step by step.

Starting with an overview of the Bash script, I explain how it accepts a domain name as an argument and creates a directory to store the results. The script then proceeds to perform subdomain enumeration at different levels using tools such as subfinder, assetfinder, and amass.

I delve into each level of subdomain enumeration, discussing the commands used and their purpose. From the 1st level to the 4th level, I explain how the script combines the output of multiple tools, checks for live subdomains, and saves the results in separate files.

Throughout the article, I provide examples of code snippets and highlight key features and techniques used in the script. I cover important concepts such as filtering subdomains, handling concurrency, and sorting and deduplicating results.

Furthermore, I discuss the cleanup process, where unnecessary files generated during the enumeration are removed, leaving only the final consolidated list of unique subdomains.

By the end of the article, readers will have a comprehensive understanding of how DeepSub automates the subdomain enumeration process and improves the efficiency of vulnerability assessment and penetration testing (VAPT). They will be equipped with the knowledge to implement similar automation scripts and enhance their own offensive security workflows.

Whether you’re a security enthusiast, a penetration tester, or a red teamer, this article will provide valuable insights into building an automated subdomain enumeration tool and empower you to level up your VAPT game.

The provided code is a Bash script for automating the process of subdomain enumeration using various tools such as subfinder, assetfinder, and amass. Let’s go through the code step by step:

#!/bin/bash

DOMAIN=$1
DIRECTORY=${DOMAIN}_Deeper_Sub
mkdir $DIRECTORY

The script starts by declaring the shebang #!/bin/bash to specify that it should be interpreted using the Bash shell. It then accepts the domain name as an argument and assigns it to the variable $DOMAIN. Next, it creates a directory using the domain name appended with "_Deeper_Sub" and stores it in the variable $DIRECTORY. The mkdir command is used to create the directory.

echo " "
echo " Now, starting 1st level subdomain enumeration"
echo " "
subfinder -d $DOMAIN | tee $DIRECTORY/subfinder_1.txt
assetfinder --subs-only $DOMAIN | tee $DIRECTORY/assetfinder_1.txt
amass enum -d $DOMAIN -o $DIRECTORY/amass_1.txt
cat $DIRECTORY/subfinder_1.txt $DIRECTORY/assetfinder_1.txt $DIRECTORY/amass_1.txt | sort -u | tee $DIRECTORY/1st_level_subdomains_all.txt

The script proceeds to perform the 1st level subdomain enumeration. It starts by printing informative messages to the console. Then, it uses the subfinder command to enumerate subdomains of the specified domain and saves the output to the file subfinder_1.txt inside the $DIRECTORY. Similarly, the assetfinder command is used to obtain subdomains for the domain, and only the subdomains are extracted using the --subs-only option. The output is saved to the file assetfinder_1.txt. Finally, the amass enum command performs subdomain enumeration using Amass and saves the results in the file amass_1.txt. The cat command is used to concatenate the contents of the three files generated by subfinder, assetfinder, and amass. The combined output is then sorted and saved to the file 1st_level_subdomains_all.txt.

The subsequent sections of the code follow a similar pattern for 2nd, 3rd, and 4th level subdomain enumeration. Here’s an example for the 2nd level enumeration:

echo " "
echo " Now, starting 2nd level subdomain enumeration"
echo " "
cat $DIRECTORY/subfinder_1.txt $DIRECTORY/assetfinder_1.txt $DIRECTORY/amass_1.txt | sort -u | httprobe -c 50 | sed 's/https\?:\/\///' | awk -F/ '{print $1}' | sort -u | tee $DIRECTORY/all_subdomains_2.txt
subfinder -dL $DIRECTORY/all_subdomains_2.txt | tee $DIRECTORY/subfinder_2.txt
assetfinder --subs-only -d $DIRECTORY/all_subdomains_2.txt | tee $DIRECTORY/assetfinder_2.txt
amass enum -d $DOMAIN -rf $DIRECTORY/all_subdomains_2.txt -o $DIRECTORY/amass_2.txt
cat $DIRECTORY/subfinder_2.txt $DIRECTORY/assetfinder_2.txt $DIRECTORY/amass_2.txt | sort -u | tee $DIRECTORY/2nd_level_subdomains_all.txt

In the 2nd level enumeration section, the script again starts by printing informative messages. It then uses the cat command to combine the output of the 1st level enumeration from the three tools: subfinder, assetfinder, and amass. The combined output is then piped into httprobe to check for live subdomains. The -c 50 flag specifies the concurrency level of 50 for faster probing. The resulting list of live subdomains is then processed using sed and awk to extract the domain names only and remove any URL prefixes (http:// or https://). The filtered subdomains are sorted and saved to the file all_subdomains_2.txt inside the $DIRECTORY.

Next, the script proceeds with subdomain enumeration using subfinder, assetfinder, and amass for the list of 2nd level subdomains obtained. The subfinder command uses the -dL option to perform enumeration based on the list of subdomains provided in the file all_subdomains_2.txt. The results are saved to subfinder_2.txt. Similarly, the assetfinder command uses the --subs-only option along with the -d flag to enumerate subdomains for the domain specified in the all_subdomains_2.txt file. The output is saved to assetfinder_2.txt. Lastly, the amass enum command performs enumeration using Amass and the -rf option is used to provide the list of subdomains from all_subdomains_2.txt. The results are saved to amass_2.txt.

Finally, the script uses the cat command to concatenate the output files from subfinder, assetfinder, and amass for the 2nd level enumeration. The combined output is sorted, and the resulting list of unique subdomains is saved to the file 2nd_level_subdomains_all.txt.

The script repeats similar steps for the 3rd and 4th level subdomain enumeration, generating files such as all_subdomains_3.txt, subfinder_3.txt, assetfinder_3.txt, amass_3.txt, all_subdomains_4.txt, subfinder_4.txt, assetfinder_4.txt, and amass_4.txt.

Towards the end, unnecessary files generated during the enumeration process are deleted using the rm command. The script then prints the obtained subdomains by concatenating the relevant files, and the temporary files are also removed, leaving only the final file all_deeper_subdomains.txt containing all the unique subdomains found.

In this captivating journey, we have explored the depths of subdomain enumeration with DeepSubh, an exceptional automation script that unveils hidden endpoints and non-duplicate bugs. By combining the power of subfinder, assetfinder, and amass, DeepSubh automates the process of subdomain enumeration up to the 4th level, enhancing the efficiency of vulnerability assessments and penetration testing. From code snippets to cleanup processes, this article has equipped readers with the knowledge to build their own automated subdomain enumeration tools, empowering them to level up their offensive security workflows and unlock new opportunities in the world of VAPT.

In summary, the script automates the process of subdomain enumeration by utilizing popular tools such as subfinder, assetfinder, and amass. It performs enumeration at multiple levels, starting from the 1st level and going deeper based on the discovered subdomains. The script combines the output from each level, checks for live subdomains, and saves the results in separate files. Finally, it cleans up unnecessary files and presents the consolidated list of all discovered subdomains.

Thank You,
Shubham Dhungana,
Security Analyst, Penetration Tester
Offensive Security | VAPT Red Team

--

--

Subh Dhungana

Offensive Side | Bug Bounty Hunter | Programmer Having Affair With Cyber Sec