Difference between revisions of "Finding subdomains"
Jump to navigation
Jump to search
(reference the Discovery and Site exploration pages, otherwise the removed methods will be lost to users of this page) |
(Altdns) |
||
| (5 intermediate revisions by the same user not shown) | |||
| Line 1: | Line 1: | ||
There are several ways to attempt to find subdomains for a given domain. | There are several ways to attempt to find subdomains for a given domain. | ||
# The methods listed on | # The methods listed on [[Site exploration]] | ||
# Use Subdomain Finder: https://subdomainfinder.c99.nl/ Paid API also available. | # Use Subdomain Finder: https://subdomainfinder.c99.nl/ Paid API also available. | ||
# Use Subdomain Center: https://www.subdomain.center/ | |||
# Use DNSdumpster: https://dnsdumpster.com/ | |||
# Search Chrome User Experience Report origin lists, which contain domains collected using telemetry in the Chrome browser. See https://archive.org/details/crux_origin_list | # Search Chrome User Experience Report origin lists, which contain domains collected using telemetry in the Chrome browser. See https://archive.org/details/crux_origin_list | ||
# Use Cisco Umbrella (OpenDNS) top domains lists: http://s3-us-west-1.amazonaws.com/umbrella-static/index.html | # Use Cisco Umbrella (OpenDNS) top domains lists: http://s3-us-west-1.amazonaws.com/umbrella-static/index.html | ||
| Line 9: | Line 11: | ||
# Software options: | # Software options: | ||
## Subfinder, which includes several of the above methods https://github.com/projectdiscovery/subfinder | ## Subfinder, which includes several of the above methods https://github.com/projectdiscovery/subfinder | ||
## assetfinder https://github.com/tomnomnom/assetfinder | |||
## Knockpy https://github.com/guelfoweb/knock | ## Knockpy https://github.com/guelfoweb/knock | ||
## dnsenum2 https://github.com/SparrowOchon/dnsenum2 | ## dnsenum2 https://github.com/SparrowOchon/dnsenum2 | ||
## dnsmap https://github.com/resurrecting-open-source-projects/dnsmap | ## dnsmap https://github.com/resurrecting-open-source-projects/dnsmap | ||
## gobuster https://github.com/OJ/gobuster | ## gobuster https://github.com/OJ/gobuster | ||
## Sublist3r https://github.com/aboul3la/Sublist3r | |||
## Altdns https://github.com/infosec-au/altdns | |||
# Twitter search | # Twitter search | ||
# Additional methods: https://blog.appsecco.com/a-penetration-testers-guide-to-sub-domain-enumeration-7d842d5570f6 | # Additional methods: https://blog.appsecco.com/a-penetration-testers-guide-to-sub-domain-enumeration-7d842d5570f6 | ||
Latest revision as of 08:31, 25 March 2024
There are several ways to attempt to find subdomains for a given domain.
- The methods listed on Site exploration
- Use Subdomain Finder: https://subdomainfinder.c99.nl/ Paid API also available.
- Use Subdomain Center: https://www.subdomain.center/
- Use DNSdumpster: https://dnsdumpster.com/
- Search Chrome User Experience Report origin lists, which contain domains collected using telemetry in the Chrome browser. See https://archive.org/details/crux_origin_list
- Use Cisco Umbrella (OpenDNS) top domains lists: http://s3-us-west-1.amazonaws.com/umbrella-static/index.html
- https://osint.sh/subdomain/
- Certificate transparency logs https://crt.sh/
- Software options:
- Subfinder, which includes several of the above methods https://github.com/projectdiscovery/subfinder
- assetfinder https://github.com/tomnomnom/assetfinder
- Knockpy https://github.com/guelfoweb/knock
- dnsenum2 https://github.com/SparrowOchon/dnsenum2
- dnsmap https://github.com/resurrecting-open-source-projects/dnsmap
- gobuster https://github.com/OJ/gobuster
- Sublist3r https://github.com/aboul3la/Sublist3r
- Altdns https://github.com/infosec-au/altdns
- Twitter search
- Additional methods: https://blog.appsecco.com/a-penetration-testers-guide-to-sub-domain-enumeration-7d842d5570f6