Research Academy Daily Swig
My account Customers About Blog Careers Legal Contact Resellers

PROFESSIONALCOMMUNITY

Enumerating subdomains using Burp Intruder

  • Last updated: January 19, 2022

  • Read time: 4 Minutes

Burp Intruder makes it possible to automate attacks against more than one target host. In this tutorial, we demonstrate how you can use this feature to discover additional attack surface by enumerating valid subdomains of a given target.

This technique can be repurposed in many ways (e.g. for automating a single attack against multiple sites), but is particularly useful when performing reconnaissance.

Note

Multi-host Intruder attacks were introduced into Burp Suite in version 2021.12. You may need to update Burp Suite to the latest version to access these features.

In this tutorial, you'll learn how to:

  • Configure a basic Sniper attack.
  • Use Burp Intruder to enumerate subdomains for a target host.
  • Spot potentially interesting items in Burp Intruder attack results.

For the purpose of this tutorial, pretend that we have been given a web application to perform security testing on. Any content we discover within this application is considered "in scope" (i.e. a valid target) for testing. As part of our reconnaissance phase, we therefore search for subdomains to perform testing on, using Burp Intruder.

Note

Burp's browser is an easy way to proxy HTTP traffic - even over the encrypted HTTPS protocol. There is no setup required - simply go to the Proxy tab, click Open Browser, and ensure Intercept is off.

Step 1: Intercept a request

Open Burp's browser and access the following URL:

http://portswigger-labs.net/

The PortSwigger Labs homepage

In Burp Suite, go to the Proxy tab, and click the HTTP history sub tab. Here you can see a list of the HTTP requests made by Burp's browser since you opened Burp Suite.

Right click the request you just made to http://portswigger-labs.net/, and click Send to Intruder.

Sending a request to Burp Intruder

Step 2: Configure Intruder insertion points

Open the Intruder tab. Note that your request is now displayed in this tab.

In the Target field, place your cursor between http:// and portswigger-labs.net. This is where a subdomain name would sit, if one was present.

Altering the Target field in Burp Intruder

Type any character. The character you choose is irrelevant - it is merely a placeholder for your insertion point.

Adding a character to the Target field in Burp Intruder

Select the character you just typed, and click the Add § button. This adds "§" symbols on both sides of your selected text.

Configuring an insertion point in Burp Intruder's target field

Anything between "§" symbols is configured as an insertion point - where Burp Intruder can add its payloads.

Step 3: Select the Intruder attack type

In this tutorial, we are using a single insertion point with a Sniper attack type to cause Intruder to cycle through a list of potential subdomain names. Note that "Sniper" is selected under Choose an attack type. Note also that some other Intruder attack types can use two or more insertion points.

Step 4: Add potential subdomains as Intruder payloads

For the purpose of this tutorial, we are using a list of payloads that comes with Burp Suite Professional. Bear in mind that experienced testers often curate their own lists for use in such situations.

Note

The Add from list ... feature is exclusive to Burp Suite Professional. If you wish to follow this tutorial using Burp Suite Community Edition, read Step 6 to find an interesting directory name - then add this name to the payload options field as shown in Step 4.

In the Intruder tab, click the Payloads sub-tab.

Under Payload Options [Simple list], click the Add from list ... drop down. Select "Directories - short". This populates the payload options field with a list of 362 potential directory names.

Adding a list of directories to an Intruder attack in Burp Suite Professional

Step 5: Configure payload processing options

Next, we need to make Intruder add a "." character after each payload - to ensure that the URL syntax is correct when completed. To do this, under Payload Processing, click the Add button. Under the Select rule type drop down, click "Add suffix", and in the Suffix: field, add a "." character. Click OK.

Adding payload processing in Burp Intruder

Click the Start attack button.

Step 6: Analyze attack results

Wait for your attack to finish running - this may take a moment.

Click the header of the Length column to sort the list of responses by length. Observe that where most requests have a length of 2937, the request where the subdomain staff. has been used has a length of 377. This indicates that the response to this request contains different content than the others in the list. Select the interesting request.

An interesting HTTP request found by a Burp Intruder attack

Click Response to view the response associated with the request. This shows you that the URL points to a login form of some kind.

An interesting HTTP response, shown in Burp Intruder

Open Burp's browser and access the URL you enumerated:

http://staff.portswigger-labs.net/

Observe that a login form is rendered.

A hidden log in form shown in Burp's browser

It appears that we have discovered a hidden subdomain which has login functionality. This could be of great interest to a security tester.

Summary and next steps

Congratulations - now you know how to use Burp Intruder to enumerate subdomains for a host. This methodology can open up more attack surface for you to test - which can increase your chances of successfully compromising a test application.

For information on how you could use Burp Intruder to brute-force a login form like the one we found here, see the Authentication topic in the Web Security Academy - or check out our tutorial on brute-forcing login mechanisms with Burp Intruder.