Difference between revisions of "Finding subdomains"
Jump to navigation
Jump to search
TheTechRobo (talk | contribs) (Add Google suggestion) |
(drop dmitry, its a bit old) |
||
Line 8: | Line 8: | ||
# https://osint.sh/subdomain/ | # https://osint.sh/subdomain/ | ||
# Certificate transparency logs https://crt.sh/ | # Certificate transparency logs https://crt.sh/ | ||
# Subfinder, which includes several of the above methods https://github.com/projectdiscovery/subfinder | # Software options: | ||
## Subfinder, which includes several of the above methods https://github.com/projectdiscovery/subfinder | |||
## Knockpy https://github.com/guelfoweb/knock | |||
## dnsenum2 https://github.com/SparrowOchon/dnsenum2 | |||
## dnsmap https://github.com/resurrecting-open-source-projects/dnsmap | |||
# Twitter search | # Twitter search | ||
# Additional methods: https://blog.appsecco.com/a-penetration-testers-guide-to-sub-domain-enumeration-7d842d5570f6 | # Additional methods: https://blog.appsecco.com/a-penetration-testers-guide-to-sub-domain-enumeration-7d842d5570f6 |
Revision as of 04:57, 7 February 2023
There are several ways to attempt to find subdomains for a given domain, such as example.com.
- Perform web searches. The two primary search indexes are Bing and Google, and many other search engines use these indexes internally. Bing also has an API available. You can run queries as follows:
Google:site:example.com
(usesite:*.example.com
to ONLY get subdomains).
Bing:site:example.com+
- Look for existing archived subdomains in the Internet Archive CDX (which also includes data from Common Crawl):
Get page count: https://web.archive.org/cdx/search/cdx?url=*.example.com&collapse=original&fl=original&showNumPages=1
Iterate through pages: https://web.archive.org/cdx/search/cdx?url=*.example.com&collapse=original&fl=original&page=0 - Use Subdomain Finder: https://subdomainfinder.c99.nl/ Paid API also available.
- Search Chrome User Experience Report origin lists, which contain domains collected using telemetry in the Chrome browser. See https://archive.org/details/crux_origin_list
- Use Cisco Umbrella (OpenDNS) top domains lists: http://s3-us-west-1.amazonaws.com/umbrella-static/index.html
- https://osint.sh/subdomain/
- Certificate transparency logs https://crt.sh/
- Software options:
- Subfinder, which includes several of the above methods https://github.com/projectdiscovery/subfinder
- Knockpy https://github.com/guelfoweb/knock
- dnsenum2 https://github.com/SparrowOchon/dnsenum2
- dnsmap https://github.com/resurrecting-open-source-projects/dnsmap
- Twitter search
- Additional methods: https://blog.appsecco.com/a-penetration-testers-guide-to-sub-domain-enumeration-7d842d5570f6