Enumerating .gov.af - vulns.xyz

by kpcyrd, medium read, 2021-08-17

Due to recent political events there’s an increased interest in Afghanistan’s websites. This is a tutorial on how to run sn0int on .gov.af to enumerate as many sites as possible for archival purpose.

We’re going to start sn0int in a new workspace that we call gov-af. This can be any name, it’s just a way to organize our data.

We’re then creating a gov.af domain object in sn0int so we can run investigations on it. This is technically not how the domain object is supposed to be used, because .gov.af is considered an eTLD, an effective top-level domain and listed on the “public suffix list”. The sn0int domain objects are supposed to be registerable domains. This usually means subdomains of eTLDs, like example.com, example.org or example.co.uk.

There’s a public log of certificates (for security reasons), we can attempt to discover domains and subdomains from the certificates that have been recorded there. Instead of downloading the full copy of the log we’re using the api of crt.sh, a service that’s indexing the data. We need to install the module if we don’t already have it installed in sn0int. After installation we can run it on the target domain. This may take some time.

Leave a Comment