Comparing scripts to collect information about subdomains

Hello!

I want to raise the topic of collecting subdomains as part of OSINT. There is a fairly large number of tools to automate this task. I'll tell you about those I encountered. The target domain used is group-ib.ru.

1. DNSDumpster
   Public web service from hack the target. Smart interface and a number of buns. Draws a map that can be shown to the customer. Displays DNS servers, MX, TXT, A records.

   
   

   Map:
   

   
   

   Found domains: 28

   
   

2. Knockpy
   Brunches subdomains in the dictionary, supports search by Virustotal.
   Doesn't work fast.

   
   

   

   
   

   Found domains: 28

   
   

3. Sublist3r
   Uses a number of services to search for subdomains, inward also included Subbrute for Brutus in the dictionary.

   
   

   

   
   

   Found domains: 107

   
   

4. Subbrute
   Brings up the dictionary. Uses open DNS resolvers to avoid restrictions on the number of requests. It works very poorly, but the results are not bad.

   
   

   

   
   

   Found domains: I did not wait for completion, but it’s worth the wait.

   
   

5. theHarvester
   A popular harvester that is looking for almost everything - people, mail, subdomains, virtual hosts. The meaning of life is not yet learned.

   
   

   

   
   

   Found domains: 142

   
   

6. Amass
   Tricked by OWASP. As the developer says, Amass collects data from various public sources, recursively bruteforces, searches the web archive, and uses mutations for the target domain. It also collects information on subnets and AS and can build maps. In my experience, all this splendor works unstable and crooked.

   
   

   

   
   

   Found domains: In passive mode - 56. In active mode, Amass fell with an error.

   
   

7. subfinder
   Positioned as a successor to the sublister. It is written on go, so you need to either compile it on your own, or run it from the docker. It has a modular structure, so if you wish, you can add something of your own.

   
   

   

   
   

   Found domains: 66

   
   

What is the result? There are a lot of means for solving the set task and they all give different results. For maximum efficiency, you can try them all and combine the results. You should not also neglect the manual approach - you can often find what the machine could not find. About how this is done on the Internet, write to all and sundry.
And how are you looking for subdomains?