Posted on April 24th, 2018
I have stressed the importance of searching subdomains for several years. Online services for this come and go, and application-based solutions such as Knock and SubBrute have various levels of success. One of the more robust options is the website FindSubDomains.com. The following example should help explain the power of this free service.
After the recent Southwest flight emergency landing, I was seeking any hidden pages at the southwest.com domain that could reveal additional information about the company. I was not expecting to find anything related to the incident, but grew curious to what content might be behind the curtain of the standard website which allows for flight searching. I navigated to FindSubDomains.com and entered southwest.com as the domain. The direct URL for this is as follows.
I was presented with almost 200 subdomains for southwest.com, a portion of which appear below.
These results include hyperlinks to the subdomains, the IP addresses of the servers hosting the content, and the country of origin. I found the following subdomains of interest, including a brief summary of the intelligence gleaned from the find.
luv.southwest.com forwards to the permission policy of the Responsys marketing company at https://policy2.responsys.net/permission.htm. I can now assume that Southwest sends marketing communications (spam) through this company.
wbmd.southwest.com presents an option for opting-out of Southwest’s advertisement cookie placement. I don’t know how effective that would be, but interesting that they have the option.
mbp.southwest.com possesses little information, but confirms that Southwest uses the NCR ticketing platform API for their passenger ticketing solution. This would be beneficial to an internal social engineering test.
investors.southwest.com forwards to Southwest’s investor portal, identifying an annual operating income of $3.5B.
bagclaim.southwest.com allows for search of lost baggage tickets if you know the last name and an incident number.
mobile.qa1.southwest.com and mobile.qa5.southwest.com offer a mobile test site of a previous app build, but it appears to connect to live data. When southwest.com is slow due to demand during a snow storm, I know where I will try.
I then started receiving a lot of “Access Denied” subdomains without a prompt for credentials. Those would be very interesting targets during an internal audit.
Nothing here is super sensitive or interesting, but it shows that there is almost always valuable details that are not visible on the main landing page. I think subdomains should be a mandatory step during any research into a domain name.