Difference between revisions of "Finding subdomains"

From Archiveteam
Jump to navigation Jump to search
m (More formatting fixes)
(Altdns)
 
(11 intermediate revisions by 4 users not shown)
Line 1: Line 1:
There are several ways to attempt to find subdomains for a given domain, such as example.com.
There are several ways to attempt to find subdomains for a given domain.


# Perform web searches. The two primary search indexes are Bing and Google, and many other search engines use these indexes internally. Bing also has an API available. You can run queries as follows:<br/>Google: <code>site:example.com</code>.<br/>Bing: <code>site:example.com+</code>
# The methods listed on [[Site exploration]]
# Look for existing archived subdomains in the Internet Archive CDX (which also includes data from Common Crawl):<br/>Get page count: https://web.archive.org/cdx/search/cdx?url=*.example.com&collapse=original&fl=original&showNumPages=1<br/>Iterate through pages: https://web.archive.org/cdx/search/cdx?url=*.example.com&collapse=original&fl=original&page=0
# Use Subdomain Finder: https://subdomainfinder.c99.nl/ Paid API also available.
# Use Subdomain Finder: https://subdomainfinder.c99.nl/ Paid API also available.
# Use Subdomain Center: https://www.subdomain.center/
# Use DNSdumpster: https://dnsdumpster.com/
# Search Chrome User Experience Report origin lists, which contain domains collected using telemetry in the Chrome browser. See https://archive.org/details/crux_origin_list
# Search Chrome User Experience Report origin lists, which contain domains collected using telemetry in the Chrome browser. See https://archive.org/details/crux_origin_list
# Use Cisco Umbrella (OpenDNS) top domains lists: http://s3-us-west-1.amazonaws.com/umbrella-static/index.html
# Use Cisco Umbrella (OpenDNS) top domains lists: http://s3-us-west-1.amazonaws.com/umbrella-static/index.html
# https://osint.sh/subdomain/
# Certificate transparency logs https://crt.sh/
# Software options:
## Subfinder, which includes several of the above methods https://github.com/projectdiscovery/subfinder
## assetfinder https://github.com/tomnomnom/assetfinder
## Knockpy https://github.com/guelfoweb/knock
## dnsenum2 https://github.com/SparrowOchon/dnsenum2
## dnsmap https://github.com/resurrecting-open-source-projects/dnsmap
## gobuster https://github.com/OJ/gobuster
## Sublist3r https://github.com/aboul3la/Sublist3r
## Altdns https://github.com/infosec-au/altdns
# Twitter search
# Additional methods: https://blog.appsecco.com/a-penetration-testers-guide-to-sub-domain-enumeration-7d842d5570f6

Latest revision as of 08:31, 25 March 2024

There are several ways to attempt to find subdomains for a given domain.

  1. The methods listed on Site exploration
  2. Use Subdomain Finder: https://subdomainfinder.c99.nl/ Paid API also available.
  3. Use Subdomain Center: https://www.subdomain.center/
  4. Use DNSdumpster: https://dnsdumpster.com/
  5. Search Chrome User Experience Report origin lists, which contain domains collected using telemetry in the Chrome browser. See https://archive.org/details/crux_origin_list
  6. Use Cisco Umbrella (OpenDNS) top domains lists: http://s3-us-west-1.amazonaws.com/umbrella-static/index.html
  7. https://osint.sh/subdomain/
  8. Certificate transparency logs https://crt.sh/
  9. Software options:
    1. Subfinder, which includes several of the above methods https://github.com/projectdiscovery/subfinder
    2. assetfinder https://github.com/tomnomnom/assetfinder
    3. Knockpy https://github.com/guelfoweb/knock
    4. dnsenum2 https://github.com/SparrowOchon/dnsenum2
    5. dnsmap https://github.com/resurrecting-open-source-projects/dnsmap
    6. gobuster https://github.com/OJ/gobuster
    7. Sublist3r https://github.com/aboul3la/Sublist3r
    8. Altdns https://github.com/infosec-au/altdns
  10. Twitter search
  11. Additional methods: https://blog.appsecco.com/a-penetration-testers-guide-to-sub-domain-enumeration-7d842d5570f6
Retrieved from "https://wiki.archiveteam.org/index.php?title=Finding_subdomains&oldid=51938"