PROFESSIONALCOMMUNITY
Enumerating subdomains using Burp Intruder
-
Last updated: July 1, 2022
-
Read time: 3 Minutes
Burp Intruder makes it possible to automate attacks against more than one target host. In this tutorial, we demonstrate how you can use this feature to discover additional attack surface by enumerating valid subdomains of a given target.
This technique can be repurposed in many ways (e.g. for automating a single attack against multiple sites), but is particularly useful when performing reconnaissance.
Note
Multi-host Intruder attacks were introduced into Burp Suite in version 2021.12. You may need to update Burp Suite to the latest version to access these features.
In this tutorial, you'll learn how to:
- Configure a basic Sniper attack.
- Use Burp Intruder to enumerate subdomains for a target host.
- Spot potentially interesting items in Burp Intruder attack results.
For the purpose of this tutorial, pretend that we have been given a web application to perform security testing on. Any content we discover within this application is considered "in scope" (i.e. a valid target) for testing. As part of our reconnaissance phase, we therefore search for subdomains to perform testing on, using Burp Intruder.
Note
Burp's browser is an easy way to proxy HTTP traffic - even over the encrypted HTTPS protocol. There is no setup required - simply go to the Proxy tab, click Open Browser, and ensure Intercept is off.
Step 1: Intercept a request
Open Burp's browser and access the following URL:
http://portswigger-labs.net/

In Burp Suite, go to the Proxy tab, and click the HTTP history sub tab. Here you can see a list of the HTTP requests made by Burp's browser since you opened Burp Suite.
Right click the request you just made to http://portswigger-labs.net/
, and click Send to
Intruder.

Step 2: Configure Intruder insertion points
Open the Intruder tab, where your request is now displayed.
In the Target field, add a placeholder subdomain.

Select the placeholder subdomain and click the Add ยง button to mark it as a payload position.

Step 3: Select the Intruder attack type
In this tutorial, we are using a single insertion point with a Sniper attack type to cause Intruder to cycle through a list of potential subdomain names. Note that "Sniper" is selected under Choose an attack type. Note also that some other Intruder attack types can use two or more insertion points.
Step 4: Add potential subdomains as Intruder payloads
For the purpose of this tutorial, we are using a list of payloads that comes with Burp Suite Professional. Bear in mind that experienced testers often curate their own lists for use in such situations.
Note
The Add from list ... feature is exclusive to Burp Suite Professional. If you wish to follow this tutorial using Burp Suite Community Edition, read Step 5 to find an interesting directory name - then add this name to the payload options field as shown in Step 4.
In the Intruder tab, click the Payloads sub-tab.
Under Payload Options [Simple list], click the Add from list ... drop down. Select "Directories - short". This populates the payload options field with a list of 362 potential directory names.

Step 5: Analyze attack results
Click the Start attack button and wait for your attack to finish running - this may take a moment.
Click the header of the Length column to sort the list of responses by length. Observe that
where most requests have a length of 2937, the request where the subdomain staff
has been used has
a length of 353. This indicates that the response to this request contains different content than the others in
the list. Select the interesting request.

Click Response to view the response associated with the request. This shows you that the URL points to a login form of some kind.

Open Burp's browser and access the URL you enumerated:
http://staff.portswigger-labs.net/
Observe that a login form is rendered.

It appears that we have discovered a hidden subdomain which has login functionality. This could be of great interest to a security tester.
Summary and next steps
Congratulations - now you know how to use Burp Intruder to enumerate subdomains for a host. This methodology can open up more attack surface for you to test - which can increase your chances of successfully compromising a test application.
For information on how you could use Burp Intruder to brute-force a login form like the one we found here, see the Authentication topic in the Web Security Academy - or check out our tutorial on brute-forcing login mechanisms with Burp Intruder.