Difference between revisions of "Finding subdomains"

There are several ways to attempt to find subdomains for a given domain.

1. The methods listed on Site exploration
2. Use Subdomain Finder: https://subdomainfinder.c99.nl/ Paid API also available.
3. Use Subdomain Center: https://www.subdomain.center/
4. Search Chrome User Experience Report origin lists, which contain domains collected using telemetry in the Chrome browser. See https://archive.org/details/crux_origin_list
5. Use Cisco Umbrella (OpenDNS) top domains lists: http://s3-us-west-1.amazonaws.com/umbrella-static/index.html
6. https://osint.sh/subdomain/
7. Certificate transparency logs https://crt.sh/
8. Software options:
   1. Subfinder, which includes several of the above methods https://github.com/projectdiscovery/subfinder
   2. Knockpy https://github.com/guelfoweb/knock
   3. dnsenum2 https://github.com/SparrowOchon/dnsenum2
   4. dnsmap https://github.com/resurrecting-open-source-projects/dnsmap
   5. gobuster https://github.com/OJ/gobuster
9. Twitter search
10. Additional methods: https://blog.appsecco.com/a-penetration-testers-guide-to-sub-domain-enumeration-7d842d5570f6