Difference between revisions of "Finding subdomains"

There are several ways to attempt to find subdomains for a given domain.

1. The methods listed on Discovery and Site exploration
2. Use Subdomain Finder: https://subdomainfinder.c99.nl/ Paid API also available.
3. Search Chrome User Experience Report origin lists, which contain domains collected using telemetry in the Chrome browser. See https://archive.org/details/crux_origin_list
4. Use Cisco Umbrella (OpenDNS) top domains lists: http://s3-us-west-1.amazonaws.com/umbrella-static/index.html
5. https://osint.sh/subdomain/
6. Certificate transparency logs https://crt.sh/
7. Software options:
   1. Subfinder, which includes several of the above methods https://github.com/projectdiscovery/subfinder
   2. Knockpy https://github.com/guelfoweb/knock
   3. dnsenum2 https://github.com/SparrowOchon/dnsenum2
   4. dnsmap https://github.com/resurrecting-open-source-projects/dnsmap
   5. gobuster https://github.com/OJ/gobuster
8. Twitter search
9. Additional methods: https://blog.appsecco.com/a-penetration-testers-guide-to-sub-domain-enumeration-7d842d5570f6