⬆️ ⬇️

How to find subdomains in minutes?

The search for subdomains is an integral part of preparation for hacking, and thanks to some tools, opposition to these actions has become much easier.



Unprotected subdomains put your activities at serious risk, and recently there have been a number of incidents in which hackers used subdomains to bypass protection.



In the case of the last in a series of incidents, the entire Vine site code could be downloaded from an unprotected subdomain.

')

If you are a site owner or are studying information security issues, you can use the following tools to find subdomains of any domain.



image



From the translator:

I hope that these tools will help you to save information on your virtual and dedicated servers.



List of tools:



  1. Censys
  2. Pentest-Tools
  3. DNS Dumpster
  4. Sublist3r
  5. Netcraft
  6. CloudPiercer
  7. Detectify
  8. Subbrute
  9. Knock
  10. DNSRecon on Kali Linux


1. Censys

First of all, to search for subdomains, as a rule, they resort to Censys . In addition to the subdomain, you can find many more interesting things, namely:





image



You will get a good overview of domain information.



2. Pentest-Tools

Using Pentest-Tools , you can use several methods when searching for a subdomain, for example: transferring a DNS zone, iterating over a DNS based on a word list or using a search engine.

image



Search results can be saved in PDF format.



3. DNS Dumpster

DNS Dumpster is a tool for finding domain and host information. Authors of the project - HackerTarget.com.



You can find information not only about the subdomain, but also about the DNS server, MX and TXT records, as well as get a graphical representation of information about your domain.



image



4. Sublist3r

Sublist3r is a Python language tool for detecting subdomains using search engines. Sublist3r currently supports Google, Yahoo, Bing, Baidu, Ask, Netcraft, Virustotal, ThreatCrowd, DNSdumpster and PassiveDNS.



Sublist3r only supports Python version 2.7 and is dependent on several libraries.



You can use this tool on Windows, CentOS, RedHat, Ubuntu, Debian, and any other UNIX-based OS. Below is an example for CentOS.





wget https://github.com/aboul3la/Sublist3r/archive/master.zip 


Unzip the downloaded file:



 unzip master.zip 




As I mentioned earlier, there are the following dependencies, which can be installed using the yum command:



 yum install python-requests python-argparse 


Now everything is ready to detect subdomains with the following command:



 ./sublist3r.py -d yourdomain.com 


image



As you can see, the tool found my subdomains.



5. Netcraft

Netcraft has an extensive database of domains and should not be avoided when searching for public information about subdomains.



image



The search result will contain all information about the domain and subdomains, including the date of the first viewing, the range of addresses and information about the operating system. If you need to get more information about the site, just open the site report and you will be provided with a lot of information about technology, ranking, etc.



image



6. CloudPiercer

CloudPiercer can sometimes be useful when searching for information about whether a subdomain of your domain exists. By the way, CloudPiercer is a terrific and easy way to find out if the actual IP address of your site is protected. Open IP address information makes your site vulnerable to DDoS attacks.



7. Detectify

Detectify searches for subdomains by a predefined list of several hundred words, but only if you are the owner of the domain. However, if you are a registered Detectify user, you can enable the detection of subdomains in the overview section in the settings.



image


8. SubBrute

SubBrute is one of the most popular and accurate subdomain listing tools. The project was developed by the community and uses an open name resolver as a proxy, so SubBrute does not send traffic to the target DNS server.



This is not an online tool, so you have to install it on your computer. SubBrute can be used on Windows or UNIX systems. The program is very easy to install. Below is an example for CentOS / Linux.





 wget https://github.com/TheRook/subbrute/archive/master.zip 




 unzip master.zip 


A new subbrute-master folder will be created. Go to the folder and run subbrute.py with the required domain.



 ./subbrute.py yourdomain.com 


The operation will take several seconds and the found subdomains will be displayed.



9. Knock

Knock is another Python tool for detecting subdomains. It is tested for Python 2.7.6. Knock finds the subdomains of the target domain by the word list.





 wget https://github.com/guelfoweb/knock/archive/knock3.zip 




 unzip knock3.zip 




 python setup.py install 


After installation, you can search for subdomains as follows:



 ./knockpy.py yourdomain.com 


10. DNSRecon for Kali Linux

Kali Linux is a great platform for assessing information security and you can use DNSRecon on it without installing any additional tools.



DNSRecon checks all NS records for zone changes, common DNS records, pattern processing, PTR records, etc.



To use DNSRecon, simply run the following command.



 dnsrecon –d yourdomain.com 


image



I hope that using the above tools, you will be able to detect the subdomains of the target domain as part of your information security assessment work. Let me know which one you like the most.



I want to remind that recently I earned a project for which we collected more than 8.5 thousand reviews from various forums about 344 hosts - Poisk.Hosting . Virtual servers can still be found on the VDS.menu website, and virtual hosting on SHARED.menu .

Source: https://habr.com/ru/post/312954/



All Articles