Penetration Testing: Domain Footprinting with Subdomain Search and Other Techniques
When it comes to cybersecurity, the reality is that it is no longer a question of “if” but “when” an organization would be hacked or attacked. The probability of an attack is high, with one cyber attack happening every 39 seconds. As such, companies need to protect their businesses by employing robust cybersecurity policies and strategies. Penetration testing is among the processes that help businesses proactively defend themselves. In particular, penetration testing can help:
- Prevent cyber attacks by discovering security flaws
- Detect the presence of intrusions, allowing companies to act immediately
Penetration testers or pen-testers mimic the actions of cybercriminals to uncover vulnerabilities in an organization’s systems. The process has several stages, the first being reconnaissance, where pen-testers scout the company’s systems for any vulnerability or security flaw.
Domain Footprinting as Part of Reconnaissance
The whole penetration test’s success rests on the reconnaissance stage since it is where the attack surface is mapped out. After all, organizations cannot address or mitigate what they do not know about. As such, it is important to uncover as many vulnerabilities as possible during this stage before real cybercriminals can discover them.
One way to see the entire attack surface is by mapping out the company’s domain footprint, which makes reconnaissance more inclusive and comprehensive. Below are some techniques that help in domain footprinting.
Subdomain Search
Subdomain search is a crucial part of the reconnaissance stage of penetration testing. It helps testers uncover subdomains that point to applications not publicly available and discover external networks and infrastructure that the company uses. Threat actors could exploit these associations.
To illustrate, let us use a subdomain search tool to find the subdomains of starbucks[.]com. The solution found 867 subdomains, some of which the company could be using internally, such as test and development environments, while others could be applications that are still in the making.
Threat actors are more likely to try to exploit these subdomains, as they tend to be less secure than public-facing ones. For example, to launch a subdomain takeover, threat actors would need to look for subdomains that point to a page showing a 404 error.
Domain Name System Mapping
Pen-testers can find more attack vectors when they examine the Domain Name System (DNS) records of the subdomains. For instance, they may know firsthand that starbucks[.]com points to the IP address 104[.]105[.]110[.]83. However, after the subdomain search, they could, hypothetically, find subdomains vulnerable to cyber attacks. And through a DNS search, they can find more data that can widen the attack surface.
For example, Starbucks subdomains point to four different IP addresses. These DNS records point to subdomains that point to at least three IP netblocks, namely:
- 98[.]99[.]252[.]0–98[.]99[.]252[.]255
- 104[.]40[.]0[.]0–104[.]47[.]255[.]255
- 104[.]105[.]96[.]0–104[.]105[.]127[.]255
Are these IP addresses and netblocks owned by the company? If so, then these can be added to its potential attack surface and included in the penetration testing. If not, this indicates a different entity has taken over the associated subdomains, and the company’s security team must take action.
More associated domains can also be uncovered by running these IP addresses on a reverse IP/DNS lookup tool.
Recommended Reading :
- 6 Effective Steps to Carry Out Penetration Testing Successfully
- CyberArk Uncovers Potential Risks in Kubernetes
- How is Cyber Resilience Important for Your Business?
Every possible attack vector should be explored during penetration testing since cybercriminals exploit anything they can—be they subdomains, open ports, networks, or IP ranges, to name a few. Including subdomain search and other domain footprinting techniques in penetration testing reconnaissance help companies see the bigger picture.