Hunting Subdomains at DEF CON 31
Share this entry
Regular attendees of the annual DEF CON hack-xtravaganza in Las Vegas will know that one of the popular categories of activity there is the various competitions. There are many different themes and variations, testing a wide variety of hacking, open source intelligence (OSINT), electronics, and other skills. Some competitions or Capture the Flags (CTFs) are designed basically for bragging rights and fabulous prizes (or sometimes just bragging rights); others aim to educate participants along the way, and some have altruistic objectives, such as helping solve actual missing persons cases. This year, as you would imagine, Generative AI featured heavily in just about every facet of DEF CON including the contests; and there was even a CTF to hack an orbiting satellite—the first CTF in space, according to organizers.
A contingent from DomainTools decided to tackle a more down-to-earth competition. When we saw the Recon-Aacharya Challenge to find subdomains, we couldn’t resist—this is the stuff we eat, sleep, and breathe around here! This contest was part of Recon Village (“An Open Space with Talks, Live Demos, Workshops, Discussions, and CTFs with a common focus on Reconnaissance.”) which makes sense, since enumerating infrastructure such as subdomains is a common form of both red and blue team reconnaissance. Other Recon Village items of note this year included a Jeopardy-style open source intelligence (OSINT) CTF with challenges around harvesting information and credentials from target organizations, finding password dumps, etc; and there were also a variety of fascinating talks and live demos.
A quick aside for readers less familiar with the objective of the subdomain challenge: the subdomains (e.g. subdomain.example.com) associated with registered domains represent an important component of infrastructure for both legitimate and malicious enterprises. In fact, they are a space where malicious and legitimate sometimes cross over, since many malicious actors have stood up rogue subdomains under legitimate victim domains. Once you own (or pwn) a registered domain’s DNS server(s), there’s no real limit on the number or variety of subdomains you can populate it with. Red teams and malicious actors use subdomain enumeration to explore and possibly exploit areas of an enterprise’s holdings that may be obscure or less well-protected. Defenders use the technique to map their own attack surface, and to enumerate malicious infrastructure in order to defend against it or to gain intelligence about threat actors. So this CTF was definitely rooted in an activity that has value for hackers of any color of hat.
We didn’t go into it cocky. There are a lot of outstanding hackers out there and, while we are genuine believers in DomainTools data as the best there is, we also know that this is a big world with a lot of resources in it—not to mention the fact that some of the competing teams could also be using DomainTools data, for all we knew! And while no one on our team had stats at our fingertips to help us guesstimate how many subdomains might exist for the list of registered domains in the contest, we knew the number would not be small. We planned on having tough competition and knew it would take a good, well-planned effort to make a strong showing. We had high hopes but kept our expectations in check.
Methodology
The rules were essentially this: all teams were given the same list of about 15,000 registered domains. The challenge was to identify all currently-resolving (as of judging time) subdomains on those domains. Teams would receive one point for each valid subdomain, and lose one point for each invalid one (unless they submitted more than 5,000 invalid subdomains, which would disqualify the team). Wildcard subdomains were not allowed. Teams had a little under two days to complete their work and upload text files of their subdomains to a repository provided by the contest sponsor.
This was the first or second DEF CON for most of our team, which was composed of DomainTools employees Dan Nunes, Sean McNee, Steven Hallman, Daniel Schwalbe, and your correspondent, as well as DomainTools alumnus Dan Fernandez. We wanted to use our data the same way any of our customers would, so we excluded our insider corporate resources as well as third-party sources of data we have access to internally. Armed only with personal public cloud accounts, an unlimited DNSDB API key, and the “burner”-quality hardware we brought to DEF CON, we set out to complete the challenge.
While most of our team members are quite technical, none of us is a developer, so we relied on third-party libraries to help us out. The subfinder
open source tool was key—it took care of the heavy lifting of querying DNSDB and checking for wildcard subdomains. That said, we did have to make a few modifications to meet our needs: we time-fenced the passive DNS results to the past 365 days for performance. (We’ll be submitting a PR for the subfinder
team to add some DNSDB-related enhancements as soon as one of our developers has taken a pass at it). Since the contest objective requires active DNS resolution, subfinder
conveniently took care of that, but it was clear that our local network capabilities would not have been sufficient to complete the challenge in time. (If you haven’t been to DEF CON before, take it from us: even at Vegas scale, putting some 30,000 tech-curious folks in a relatively small area is going to cause some network congestion). As tempting as it was to use our corporate DNS collection capabilities, we resisted that urge and stuck with personal AWS accounts. We sharded the data and leveraged terraform
to complete a run of the given domains in about 2 hours, using a network with much better bandwidth than at the village itself.
Since DNS isn’t guaranteed (remember: UDP!), and we did occasionally run into rate limits, we performed several runs of our scripts and de-duplicated the aggregated data. All in all, we identified 4.1 million active subdomains across the 14,917 registered domains, and submitted our results with fingers crossed.
How’d we do?
Once we made our submission, we weren’t sure what to expect. Was 4.1 million a good number? A good enough number to win or at least place strongly? We felt that our methodology was sound, but what if there was something we hadn’t thought of that could have put us at a disadvantage? And, of course, we knew nothing about our competitors. Per the contest rules, we were allowed to make a partial submission to see if we were on the right track, and the results looked good. But as Yogi Berra said, “it ain’t over ‘til it’s over.”
On Sunday (closing day of DEF CON), we found out: we won! While the prize—a PlayStation 5—will have a place of honor in the DomainTools office, for us the real win was in working together on an interesting project whose larger implications are deeply meaningful to us: providing defenders with resources they need to help them fight bad actors. We are grateful to the organizers of the contest for sponsoring an activity that helped participants hone a valuable set of skills. And we’re energized for DEF CON 32!