Subdomain enumeration in CTFs

If you’re playing a CTF, and you don’t find anything interesting, there’s a decent chance that the path is elsewhere, for example, on a subdomain (SB).

If it’s a very easy CTF, you will probably get some hints, like unusual HTML comments or even a direct link to that SB in the source code.

The scenario may involve a careless dev team that uses SBs like development.ctfdomain.platform or preproduction.ctfdomain.platform.

Unfortunately, it is rarely that easy. You might be on your own without any hint, and it would be time-consuming to guess the SB.

In such case, there’s very little chance you can solve the CTF if you don’t know some tools and wordlists.


This is far from being an exhaustive list. There are many other approaches, including Python scripts and other utilities. I won’t mention them because I’m less comfortable with these tools, not because they’re not worth it.

I will refer “subdomain” as “SB” all along this post, for more convenience. Sorry for the potential impact on readability.

I only got an IP, not a domain name

CTFs usually provide machines that are hosted on cloud platforms such as AWS and can be initiated on demand (e.g., containers).

Once the machine is ready, you get an IP you can use for basic enumeration (e.g., Nmap, Gobuster, Nikto). It’s cool, but not user-friendly.

You can point a domain of “your choice” to that IP in the /etc/hosts file (attacker’s machine):

# /etc/hosts
IP  ctfdomain.platform

N.B.: some CTFs will explicitly ask you to add the domain name to your hosts before anything to ensure everything goes as planned.

Google Dorks


The above Google dork could reveal SBs but, unfortunately, most CTFs do not work like that, as the IPs are private.

The hacking platform will likely invite you to use a VPN connection (e.g., OpenVPN config) to play the CTF.

Forget about online scanning tools.

DNS Pentesting

What you need is to apply some DNS pentesting techniques. Here are a few tools and techniques that can be rewarding during CTFs.

Dig further

The dig command can be used for DNS pentesting. It’s pre-packaged in Kali Linux, but you can install it on other Linux distributions easily. For example, on a Debian-based distro like Ubuntu, type:

sudo apt install dnsutils -y

Then, you can use the following command to reveal any “hidden” CNAME:

dig axfr ctfdomain.platform @IP_MACHINE

axfr is short for an AXFR request, a protocol used during a DNS zone transfer. We exploit a DNS vulnerability that allows listing all hosts for a domain without authentication.

It’s not supposed to work, but in the context of a CTF, it will likely pass. If not, try this:

dig ANY ctfdomain.platform @IP_MACHINE

Call Metasploit to the rescue

Metasploit is a phenomenal framework that provides various modules to speed up hacking.

You can use the following module to enumerate DNS:

msf > use auxiliary/gather/enum_dns
msf > show options

The show options command will display all options you can tweak using the set command.

Best wordlist for SB brute-force

I like to use Seclists, “the security tester’s companion.” It’s a collection of wordlists you can use for various brute-force attacks.

One of them is particularly efficient for SB fuzzing or brute-force. The file is dns-Jhaddix.txt.

I’ve used it in several CTFs with high success rate.

For example:

wfuzz -c -H "Host: FUZZ.ctfdomain.platform" -u IP_MACHINE -w /usr/share/seclists/Discovery/DNS/dns-Jhaddix.txt

Add the SB in your hosts file

When you have found the SB, don’t forget to add it in your /etc/hosts file:

# /etc/hosts
IP  subdomain.ctfdomain.platform ctfdomain.platform

After that, you will able to perform additional scans and, perhaps, navigate to the SB directly in the browser.

Wrap up

We saw a few resources that help enumerate SBs during CTFs. In my experience, it’s usually enough to get to the next step, but some authors like to make things harder.

In that case, try harder!

See Also