Difference between revisions of "Finding subdomains"

There are several ways to attempt to find subdomains for a given domain, such as example.com.

1. Perform web searches. The two primary search indexes are Bing and Google, and many other search engines use these indexes internally. Bing also has an API available. You can run queries as follows:
   Google: site:example.com (use site:*.example.com to ONLY get subdomains).
   Bing: site:example.com+
2. Look for existing archived subdomains in the Internet Archive CDX (which also includes data from Common Crawl):
   Get page count: https://web.archive.org/cdx/search/cdx?url=*.example.com&collapse=original&fl=original&showNumPages=1
   Iterate through pages: https://web.archive.org/cdx/search/cdx?url=*.example.com&collapse=original&fl=original&page=0
3. Use Subdomain Finder: https://subdomainfinder.c99.nl/ Paid API also available.
4. Search Chrome User Experience Report origin lists, which contain domains collected using telemetry in the Chrome browser. See https://archive.org/details/crux_origin_list
5. Use Cisco Umbrella (OpenDNS) top domains lists: http://s3-us-west-1.amazonaws.com/umbrella-static/index.html
6. https://osint.sh/subdomain/
7. Certificate transparency logs https://crt.sh/
8. Software options:
   1. Subfinder, which includes several of the above methods https://github.com/projectdiscovery/subfinder
   2. Knockpy https://github.com/guelfoweb/knock
   3. dnsenum2 https://github.com/SparrowOchon/dnsenum2
   4. dnsmap https://github.com/resurrecting-open-source-projects/dnsmap
9. Twitter search
10. Additional methods: https://blog.appsecco.com/a-penetration-testers-guide-to-sub-domain-enumeration-7d842d5570f6