The discovery of a domain’s subdomains is a vital element of hacker reconnaissance, and the following web tools mentioned in this article make the process easier.
Having an unprotected subdomain poses a significant risk to your business, and there have been recent security incidents in which hackers exploited subdomain vulnerabilities. The most recent was Vine, when the whole source code was accessible for download from a subdomain that was vulnerable.
13 Tools to Find Subdomains of a Domain in Minutes
If you are the owner of a website or a security researcher, you can use the following tools to locate the subdomains of any domain.
1. Subdomains Lookup Tools
WhoisXML API’s Subdomains Lookup tools enable users to easily discover a domain’s subdomains. The subdomains product line is supported by a database containing over 2.3 billion subdomain records, with over 1 million subdomains being added everyday.
The tools enable research on any target domain name and display a list of all subdomains discovered for the domain, together with timestamps indicating the first time a record was observed and the most recent update to a given record.
The product range consists of:
- API with XML and JSON output query formats for simple integration
- Data feed includes files available in a standardized and consistent CSV format, with daily and weekly updates. Download the CSV sample for data testing in your environment
- GUI-based search utility that generates reports with shareable links
2. DNS Dumpster
DNSDumpster is a tool for locating host-related domain information. This is the HackerTarget.com endeavor. It provides information about DNS server, MX record, TXT record, and domain mapping in addition to subdomain information.
A web-based tool for find subdomains utilizing Anubis, Amass, DNScan, Sublist3r, Lepus, and Censys, among others.
One of the domains was tested with NMMAPPER, and the results were accurate. Try it out as part of your research endeavors.
Sublist3r is a Python application that uses a search engine to locate subdomains. Presently, Google, Yahoo, Bing, Baidu, Ask, Netcraft, Virustotal, ThreatCrowd, DNSdumpster, and PassiveDNS are supported. Sublist3r is only compatible with Python 2.7 and has few library dependencies. This utility is compatible with Windows, CentOS, Rehat, Ubuntu, Debian, and any other UNIX-based operating system. The sample below is from CentOS/Linux.
- Login to the Linux server
- Download the most recent Sublist3r
wget https://github.com/aboul3la/Sublist3r/archive/master.zip .
- Extract the file downloaded.
- It will create a new folder with the name “Sublist3r-master.”
As previously stated, it requires the following dependencies and may be installed using the yum command.
yum install python-requests python-argparse
- Now you are prepared to discover the subdomain using the command below.
./sublist3r.py -d yourdomain.com
Evidently, it did identify my subdomains.
Netcraft has a huge number of domain databases, which should not be overlooked when searching for public subdomain data. The search result will include all domains and subdomains with first seen, netblock, and operating system details.
If you require additional information about the website, click on-site report and you will be presented with a plethora of data regarding technologies, rankings, etc.
CloudPiercer is occasionally useful for determining if a subdomain exists in your domain. It is an excellent and simple technique to determine if the origin IP of your website is exposed. Exposing the origin IP can encourage hackers to prepare for DDoS assaults.
You can use Detectify to scan a domain against hundreds of predefined terms, but you shouldn’t do this with a domain you don’t really own. Nevertheless, if you have authorized a user, you can allow subdomain discovery in the settings section of the overview.
SubBrute is one of the most popular and precise subdomain discovery tools. It does not send traffic to the domain’s name servers because it is a community-driven initiative that employs an open resolver as a proxy.
This is not an online tool; it must be downloaded and installed on your computer. Windows and UNIX-based operating systems are supported, and installation is a breeze. The demonstration that follows is based on CentOS/Linux.
- Log in to your CentOS/Linux
- Download the latest SubBrute
wget https://github.com/TheRook/subbrute/archive/master.zip .
- Unzip the downloaded zip file
- It will create a new folder named “master-substitute.” Enter the directory and execute subbrute.py using the domain.
It will take a few seconds and return any subdomain that is found.
Knock is an additional Python-based subdomain finding tool that has been tested with Python 2.7.6. Using a wordlist, the subdomain of a target domain is determined.
- This can be downloaded and installed on an OS based on Linux.
wget https://github.com/guelfoweb/knock/archive/knock3.zip .
- Unzip the downloaded file using the unzip command
It will extract the file and create a folder named “knock-knock3.”
- Enter this folder and execute the following command to install.
python setup.py install
- Once installed, you can scan for subdomains by using the steps below:
10. DNSRecon on Kali Linux
Kali Linux is an excellent operating system for security researchers, and DNSRecon can be used on Kali without installation. It examines all NS records for zone transfers, overall DNS records, wildcard resolution, PTR record, and so forth. Execute the following to use DNSRecon, and you’re done.
Multiple techniques, such as DNS zone transfer, DNS enumeration based on a wordlist, and a public search engine, are utilized by Pentest-tools to search for subdomains. The output can be saved in PDF format.
MassDNS is the appropriate application for resolving domain names in bulk. This tool can resolve more than 350 thousand domains per second! It employs publicly accessible resolvers and is suitable for users that wish to resolve millions or even billions of domain names. This program may raise the demand on public resolvers, which could result in your IP address being labeled as abusive. Therefore, care must be used when using this instrument.
13. OWASP Amass
Amass was developed to assist information security experts with network mapping of attack surfaces and external asset discovery. The software is completely free to use, and its customers includes the industry-leading IT firm Accenture.
Using the aforementioned tools, you should be able to identify subdomains of the target domain for security investigation. You might also utilize an online port scanner.