Perform active subdomain enumeration against the target githubapp.com. Which subdomain has the word 'elephants' in the name?

dfgdfdfgdfd · July 7, 2022, 4:27am

What’s the Active Enumeration Technique to find the answer for this question?:

Perform active subdomain enumeration against the target githubapp.com. Which subdomain has the word ‘elephants’ in the name?

I found the answer using Passive technique: Information gathering - web edition

But I want to know the proper Active Technique for this?
or is it just purely brute-forcing? and not from DNS enumeration?
I tried active tools to get the correct answer but I failed.
Anyone got a writeup?

Advanced thanks!

PayloadBunny · July 7, 2022, 3:33pm

sublist3r is your friend for this task

dfgdfdfgdfd · July 7, 2022, 4:00pm

I tried it too, but what settings/parameters should I load into it?
I am using /SecLists/master/Discovery/DNS/namelist.txt but it doesnt contain the answer.

PayloadBunny · July 7, 2022, 4:40pm

You only need the parameter -d
You can then search the output with grep.

dfgdfdfgdfd · July 7, 2022, 5:57pm

■■■ it worked!
didn’t tried this super basic command without wordlists.
thanks!

PayloadBunny · July 8, 2022, 8:59am

Sometimes it’s the simple things that get overlooked.

Taiithetrapper · October 17, 2022, 9:42pm

IM DOING THIS now but mine says triage I tried the things listed above and none worked

blondoebb · November 4, 2022, 2:58pm

it doesn’t work, i’ve found just one sub. but with “NMMAPPER” we can resolve also the question

Someone · November 13, 2022, 11:52am

I’m having issues too with sublist3r.
I get an error after some times of running.

madlyjewls · November 15, 2022, 11:32am

I have the same problem with sublist3r. But you can also use the site https://crt.sh to look for the subdomains.

Neverakswhy · December 27, 2022, 3:01pm

Dude You Are So cool
just took 10 sec to find

noobker · March 13, 2023, 4:55pm

Me too with sublist3r. I get subdomains back but not the ones the question is asking for.

But, your tips about https://crt.sh is spot on. Thanks!

noobker · March 13, 2023, 4:57pm

Did anyone get the right result using sublist3r ?

I got the answer using crt.sh but i want to know how to get answer using sublist3r ?

sublist3r -d githubapp.com did not work for me as shown above. sublist3r -d githubapp.com -b is taking way too long

lefanzizou · March 15, 2023, 11:21pm

Just try TheHarvester.

HollywoodHank · May 16, 2023, 8:14pm

Thanks to the crt.sh guy!
Dont waste your time with sublist3r… just Errors like:
[!] Error: Virustotal probably now is blocking our requests
[!] Error: Google probably now is blocking our requests
[~] Finished now the Google Enumeration …

pilotaidsHtb · June 23, 2023, 2:50pm

For anyone that’s having issues with crt.sh (for some reason I am getting the following error:

FATAL: terminating connection due to conflict with recovery
DETAIL: User query might have needed to see row versions that must be removed.
CONTEXT: PL/pgSQL function web_apis(text,text,text) line 4216 at FOR over EXECUTE statement
ERROR: server conn crashed?
server closed the connection unexpectedly
This probably means the server terminated abnormally
before or while processing the request.

)

Try using https://rapiddns.io/
It took 2 seconds to run and then search for “trige”

IBlazeI · July 29, 2023, 8:47am

This is something that opened my boxed mind.
Thank you!

afrohacker · February 4, 2024, 6:30am

I had been on this question for days, although mine was “triage”. Found your comment and I solved it immediately. Thank you!

acpr0xy · February 11, 2024, 1:24am

I used subfinder with the command subfinder -d githubapp.com | grep triage and successfully found the subdomain