How to find subdomains in minutes?

Original author: Chandan Kumar
Searching for subdomains is an integral part of preparing for hacking, and thanks to some tools, countering these actions has become much easier.

Unprotected subdomains put your business at serious risk, and recently there have been a number of incidents in which hackers used subdomains to bypass protection.

In the case of the last of a series of incidents, all the Vine site code could be downloaded from an insecure subdomain.

If you are the site owner or are studying information security issues, you can use the following tools to find subdomains of any domain.

image

From a translator:
I hope that these tools will help you save information on your virtualand dedicated servers.


Tool List:

  1. Censys
  2. Pentest-Tools
  3. DNS Dumpster
  4. Sublist3r
  5. Netcraft
  6. Cloudpiercer
  7. Detectify
  8. Subbrute
  9. Knock
  10. DNSRecon on Kali Linux

1. Censys
First of all, to search for subdomains, they usually resort to Censys . In addition to the subdomain, you can find many more interesting things, namely:

  • IP data (may be useful for finding a real IP address );
  • certificate information;
  • open ports
  • SSL / TLS handshake protocol and encryption algorithms (useful when searching for weak ciphers / protocols).

image

You will get a good overview of domain information.

2. Pentest-Tools
Using Pentest-Tools when searching for a subdomain, you can use several methods, for example: transferring a DNS zone, enumerating DNS based on a list of words, or using a search engine.
image

Search results can be saved in PDF format.

3. DNS Dumpster
DNS Dumpster is a tool for finding domain and host information. The authors of the project are HackerTarget.com.

You can find information not only about the subdomain, but also about the DNS server, MX and TXT records, as well as get a graphical representation of information about your domain.

image

4. Sublist3r
Sublist3r is a Python tool for detecting subdomains using search engines. Sublist3r currently supports Google, Yahoo, Bing, Baidu, Ask, Netcraft, Virustotal, ThreatCrowd, DNSdumpster and PassiveDNS.

Sublist3r only supports Python version 2.7 and is dependent on several libraries.

You can use this tool on Windows, CentOS, RedHat, Ubuntu, Debian, and any other UNIX-based OS. The following is an example for CentOS.

  • Go to your Linux server;
  • Download the latest version of Sublist3r

wget https://github.com/aboul3la/Sublist3r/archive/master.zip

Unzip the downloaded file:

unzip master.zip

  • A new “Sublist3r-master” folder will be created.

As I mentioned earlier, the following dependencies exist that you can use the yum command to install:

yum install python-requests python-argparse

Now you are ready to detect subdomains using the following command:

./sublist3r.py -d yourdomain.com

image

As you can see, the tool detected my subdomains.

5. Netcraft
Netcraft has an extensive database of domains and should not be ignored when searching for open subdomain information.

image

The search result will contain all the information about the domain and subdomains, including the date of the first viewing, the range of addresses and information about the operating system. If you need to get more information about the site, just open the site report and you will be provided with a lot of information about technologies, ratings, etc.

image

6. CloudPiercer
CloudPiercer can sometimes be useful when looking for information about whether a subdomain of your domain exists. By the way, CloudPiercer is a terrific and easy way to find out if the actual IP address of your site is protected. Public information about the IP address makes your site vulnerable to DDoS attacks.

7. Detectify
Detectify searches for subdomains by a predefined list of several hundred words, but only if you own the domain. However, if you are a registered Detectify user, you can enable the subdomain detection feature in the overview section of the settings.

image

8. SubBrute
SubBrute is one of the most popular and accurate subdomain enumeration tools. The project is developed by the community and uses an open identifier as a proxy, so SubBrute does not send traffic to the target DNS server.

This is not an online tool, so you have to install it on your computer. SubBrute can be used on Windows or UNIX systems. The program is very easy to install. Below is an example for CentOS / Linux.

  • Log into your linux server
  • Download the latest version of SubBrute

wget https://github.com/TheRook/subbrute/archive/master.zip

  • Unzip the downloaded zip file

unzip master.zip

A new subbrute-master folder will be created. Go into the folder and execute subbrute.py with the necessary domain.

./subbrute.py yourdomain.com

The operation will take several seconds and the subdomains found will be displayed.

9. Knock
Knock is another Python tool for detecting subdomains. It is tested for Python 2.7.6. Knock finds subdomains of the target domain from a list of words.

  • Knock can be installed on a Linux OS.

wget https://github.com/guelfoweb/knock/archive/knock3.zip

  • Unzip the downloaded zip file with unzip command

unzip knock3.zip

  • As a result, a new folder “knock-knock3” will be created.
  • Go to the folder and install using the following command

python setup.py install

After installation, you can search for subdomains as follows:

./knockpy.py yourdomain.com

10. DNSRecon for Kali Linux
Kali Linux is a great platform for evaluating information security and you can use DNSRecon on it without additional installation of any tools.

DNSRecon checks all NS records for zone changes, common DNS records, template processing, PTR records, etc.

To use DNSRecon, simply run the following command

dnsrecon –d yourdomain.com

image

I hope that with the help of the above tools you will be able to detect subdomains of the target domain as part of your work on assessing information security. Let me know which one you liked the most.

I want to remind you that recently launched a project for which we have collected more than 8.5 thousand reviews from various forums about 344 hosters - Poisk.Hosting . The site VDS.menu can still be found the virtual servers, and SHARED.menu - virtual hosting.

Also popular now: