1
00:00:02,130 --> 00:00:05,310
Hello, everyone, and welcome to this video.

2
00:00:06,270 --> 00:00:13,800
So in this video, we're going to understand about a subdomain enumeration, as in the previous video,

3
00:00:14,310 --> 00:00:17,530
we have already understood about what is a subdomain.

4
00:00:18,360 --> 00:00:22,410
Now we will see how you can enumerate a subdomains.

5
00:00:22,770 --> 00:00:29,590
What is the difference between a vertical domain correlation and horizontal domain correlation?

6
00:00:30,540 --> 00:00:36,690
So there is something which is also known as a sub subdomain that we discussed about in the previous

7
00:00:36,690 --> 00:00:37,100
video.

8
00:00:38,280 --> 00:00:43,190
So let's quickly understand about vertical domain correlation.

9
00:00:43,890 --> 00:00:48,640
So all the subdomains of domain, for example, let's say Google dot com.

10
00:00:49,290 --> 00:00:54,850
So one of the sub domain of Google dot com would be maps.google.com.

11
00:00:55,680 --> 00:01:03,270
This is an example of vertical domain correlation, which means any sub domain of a particular base

12
00:01:03,330 --> 00:01:12,330
domain or top level domain, whereas in horizontal domain correlation it contains the acquisitions of

13
00:01:12,330 --> 00:01:14,920
the top level domain or the base domain.

14
00:01:15,540 --> 00:01:21,000
For example, Google.cz, YouTube dot com, Blogger dot com.

15
00:01:21,420 --> 00:01:29,610
All of these are the products of Google, which means they are some of the another way connected to

16
00:01:29,610 --> 00:01:37,350
the base domain or the top level domain or the organization, which basically means anything that is

17
00:01:37,350 --> 00:01:43,440
acquired by Google as an entity is considered to be horizontal domain correlation.

18
00:01:44,080 --> 00:01:53,220
Now, is it really important or would it to identify security flaws into the acquisitions by any parent

19
00:01:53,220 --> 00:01:54,180
organization?

20
00:01:55,380 --> 00:02:03,330
Yes, there are many examples of bug bounty programs wherein acquisitions are also considered to be

21
00:02:03,330 --> 00:02:03,980
in scope.

22
00:02:04,410 --> 00:02:08,310
For instance, Facebook is runs a bug bounty program.

23
00:02:09,720 --> 00:02:15,610
Facebook runs a bug bounty program, which also includes all of its acquisitions.

24
00:02:16,020 --> 00:02:22,050
Similarly, Google also includes all of its acquisitions into the bug bounty program.

25
00:02:22,510 --> 00:02:28,790
Similarly, Apple also includes all the acquisitions under its bug bounty program and so on.

26
00:02:29,400 --> 00:02:36,740
So as of now, we have understood about vertical domain coordination, horizontal domain correlation.

27
00:02:37,470 --> 00:02:43,070
So how do we actually identify these types of domains or subdomains?

28
00:02:43,860 --> 00:02:50,670
So there are some of the open source tools that can be used to identify this, and we are going to use

29
00:02:50,970 --> 00:02:53,990
most of them into the next upcoming videos.

30
00:02:55,470 --> 00:03:03,540
So I like to use a sub finder because it is written in go lang and because of speed and concurrency,

31
00:03:03,750 --> 00:03:10,490
it is considered to be one of the fastest tool to identify subdomains for any given target.

32
00:03:11,070 --> 00:03:18,210
There are multiple tools that can be used to identify some domains like Amass, Sublister or Aquatone or

33
00:03:18,210 --> 00:03:24,520
Knockpy, but at the end they're going to get the same results from all of them.

34
00:03:24,990 --> 00:03:28,340
So we basically want to save our time.

35
00:03:28,530 --> 00:03:35,790
So we are going to use some finder into the upcoming videos wherein we will identify multiple subdomains

36
00:03:35,940 --> 00:03:37,750
in a lesser span of time.

37
00:03:39,840 --> 00:03:47,550
So in addition to the finder, I also like to find subdomains manually because that is the time.

38
00:03:47,550 --> 00:03:51,770
Then we may get a new subdomain for any target.

39
00:03:52,230 --> 00:04:00,570
For that, we are going to use crst.sh, which basically is the certificate transparency log in which

40
00:04:00,570 --> 00:04:08,340
if any new certificate has been assigned to a top level domain or its subdomain, they are going to know about

41
00:04:08,340 --> 00:04:08,720
that.

42
00:04:10,440 --> 00:04:18,390
Second is censys.io, which is an IOT connected search engine from where we can also identify

43
00:04:18,630 --> 00:04:25,950
given subdomains for any target similar to censys is Shodan, which is again an Internet connected

44
00:04:25,950 --> 00:04:34,770
search engine where we can identify about multiple targets and the subdomains Google certificate transparency

45
00:04:34,770 --> 00:04:43,050
logs is again the certificate logs from which we can identify the subdomains for any given target, Facebook

46
00:04:43,050 --> 00:04:43,550
certificate.

47
00:04:43,560 --> 00:04:47,460
Transparency is similar, like Google certificate transparency.

48
00:04:47,720 --> 00:04:51,990
Then we can identify subdomains based on the certificate logs.

49
00:04:52,560 --> 00:04:56,130
We can also identify subdomains using CSP header.

50
00:04:56,520 --> 00:04:59,670
We can also identify some domain based on the DNS records.

51
00:05:00,380 --> 00:05:07,270
By using viewdns.info website, dnsdumpster.com, as well as virustotal.com.

52
00:05:08,180 --> 00:05:09,860
So I hope you guys understood this.

53
00:05:10,070 --> 00:05:10,670
Thank you.