Hello guys, I’ve this question from the INFORMATION GATHERING - WEB EDITION module in the Active Subdomain Enumeration section.
The section states that there’s no need for further enumeration in the case we have the luck of find a DNS server which is allowing AXFR (fragment 2. Testing for ANY and AXFR Zone Transfer), however in the next fragment (Gobuster) it says that if we discover a pattern in the domain names we can use gobuster with the dns module to perform a bruteforce for subdomain enumeration, so my question is…
When using certificate transparency is there any chance that there are subdomains not listed? (maybe because they don’t have a digital certificate) and in case like this we can leverage subdomain bruteforcing?
So in simple words:
If AXFR is allowed → jackpot, no need for futher subdomain enumeration
If AXFR not allowed → check certificate transparency websites → identify patterns → perform bruteforce
Am I right? I’m just trying to put pieces together