Enumerating subdomains using Burp Intruder
Last updated: January 19, 2022
Read time: 4 Minutes
Burp Intruder makes it possible to automate attacks against more than one target host. In this tutorial, we demonstrate how you can use this feature to discover additional attack surface by enumerating valid subdomains of a given target.
This technique can be repurposed in many ways (e.g. for automating a single attack against multiple sites), but is particularly useful when performing reconnaissance.
Multi-host Intruder attacks were introduced into Burp Suite in version 2021.12. You may need to update Burp Suite to the latest version to access these features.
In this tutorial, you'll learn how to:
- Configure a basic Sniper attack.
- Use Burp Intruder to enumerate subdomains for a target host.
- Spot potentially interesting items in Burp Intruder attack results.
For the purpose of this tutorial, pretend that we have been given a web application to perform security testing on. Any content we discover within this application is considered "in scope" (i.e. a valid target) for testing. As part of our reconnaissance phase, we therefore search for subdomains to perform testing on, using Burp Intruder.
Burp's browser is an easy way to proxy HTTP traffic - even over the encrypted HTTPS protocol. There is no setup required - simply go to the Proxy tab, click Open Browser, and ensure Intercept is off.
Step 1: Intercept a request
Open Burp's browser and access the following URL:
In Burp Suite, go to the Proxy tab, and click the HTTP history sub tab. Here you can see a list of the HTTP requests made by Burp's browser since you opened Burp Suite.
Right click the request you just made to
http://portswigger-labs.net/, and click Send to
Step 2: Configure Intruder insertion points
Open the Intruder tab. Note that your request is now displayed in this tab.
In the Target field, place your cursor between
portswigger-labs.net. This is where a subdomain name would sit, if one was present.
Type any character. The character you choose is irrelevant - it is merely a placeholder for your insertion point.
Select the character you just typed, and click the Add § button. This adds "
symbols on both sides of your selected text.
Anything between "
§" symbols is configured as an insertion point - where Burp Intruder can add its
Step 3: Select the Intruder attack type
In this tutorial, we are using a single insertion point with a Sniper attack type to cause Intruder to cycle through a list of potential subdomain names. Note that "Sniper" is selected under Choose an attack type. Note also that some other Intruder attack types can use two or more insertion points.
Step 4: Add potential subdomains as Intruder payloads
For the purpose of this tutorial, we are using a list of payloads that comes with Burp Suite Professional. Bear in mind that experienced testers often curate their own lists for use in such situations.
The Add from list ... feature is exclusive to Burp Suite Professional. If you wish to follow this tutorial using Burp Suite Community Edition, read Step 6 to find an interesting directory name - then add this name to the payload options field as shown in Step 4.
In the Intruder tab, click the Payloads sub-tab.
Under Payload Options [Simple list], click the Add from list ... drop down. Select "Directories - short". This populates the payload options field with a list of 362 potential directory names.
Step 5: Configure payload processing options
Next, we need to make Intruder add a "." character after each payload - to ensure that the URL syntax is correct when completed. To do this, under Payload Processing, click the Add button. Under the Select rule type drop down, click "Add suffix", and in the Suffix: field, add a "." character. Click OK.
Click the Start attack button.
Step 6: Analyze attack results
Wait for your attack to finish running - this may take a moment.
Click the header of the Length column to sort the list of responses by length. Observe that
where most requests have a length of 2937, the request where the subdomain
staff. has been used has
a length of 377. This indicates that the response to this request contains different content than the others in
the list. Select the interesting request.
Click Response to view the response associated with the request. This shows you that the URL points to a login form of some kind.
Open Burp's browser and access the URL you enumerated:
Observe that a login form is rendered.
It appears that we have discovered a hidden subdomain which has login functionality. This could be of great interest to a security tester.
Summary and next steps
Congratulations - now you know how to use Burp Intruder to enumerate subdomains for a host. This methodology can open up more attack surface for you to test - which can increase your chances of successfully compromising a test application.
For information on how you could use Burp Intruder to brute-force a login form like the one we found here, see the Authentication topic in the Web Security Academy - or check out our tutorial on brute-forcing login mechanisms with Burp Intruder.