Difference between revisions of "Finding subdomains"

From Archiveteam
Jump to navigation Jump to search
(fixed securitytrails script)
 
(18 intermediate revisions by 8 users not shown)
Line 2: Line 2:


# The methods listed on [[Site exploration]]
# The methods listed on [[Site exploration]]
# Use SecurityTrail http://securitytrails.com/
# Use Merklemap: https://www.merklemap.com/ ([https://github.com/Barre/merklemap-cli CLI], paid API)
# Use SecurityTrails: https://securitytrails.com/ (Cloudflare JS)
## Browser console based API scraper: [https://transfer.archivete.am/ExVF1/securitytrails-domain-scraper.js securitytrails-domain-scraper.js] (useful when there is more than one page)
# Use Subdomain Finder: https://subdomainfinder.c99.nl/ Paid API also available.
# Use Subdomain Finder: https://subdomainfinder.c99.nl/ Paid API also available.
# Use Subdomain Center: https://www.subdomain.center/
# Use Subdomain Center: https://www.subdomain.center/
Line 8: Line 10:
# Search Chrome User Experience Report origin lists, which contain domains collected using telemetry in the Chrome browser. See https://archive.org/details/crux_origin_list
# Search Chrome User Experience Report origin lists, which contain domains collected using telemetry in the Chrome browser. See https://archive.org/details/crux_origin_list
# Use Cisco Umbrella (OpenDNS) top domains lists: http://s3-us-west-1.amazonaws.com/umbrella-static/index.html
# Use Cisco Umbrella (OpenDNS) top domains lists: http://s3-us-west-1.amazonaws.com/umbrella-static/index.html
# https://osint.sh/subdomain/
# https://osint.sh/subdomain/ (Cloudflare JS)
# Certificate transparency logs https://crt.sh/
# Certificate transparency logs: https://crt.sh/ as well as https://www.merklemap.com/
# Software options:
# Software options:
## Subfinder, which includes several of the above methods https://github.com/projectdiscovery/subfinder
## Subfinder, which includes several of the above methods: https://github.com/projectdiscovery/subfinder
## assetfinder https://github.com/tomnomnom/assetfinder
## assetfinder: https://github.com/tomnomnom/assetfinder
## Knockpy https://github.com/guelfoweb/knock
## Knockpy: https://github.com/guelfoweb/knock
## dnsenum2 https://github.com/SparrowOchon/dnsenum2
## dnsenum2: https://github.com/SparrowOchon/dnsenum2
## dnsmap https://github.com/resurrecting-open-source-projects/dnsmap
## dnsmap: https://github.com/resurrecting-open-source-projects/dnsmap
## gobuster https://github.com/OJ/gobuster
## gobuster: https://github.com/OJ/gobuster
## Sublist3r https://github.com/aboul3la/Sublist3r
## Sublist3r: https://github.com/aboul3la/Sublist3r
## Altdns https://github.com/infosec-au/altdns
## Altdns: https://github.com/infosec-au/altdns
## Subenum: https://github.com/42zen/subenum
## AMASS: https://github.com/OWASP/Amass — A powerful tool for in-depth subdomain enumeration, leveraging various APIs, web scraping, and DNS resolution
## The Harvester: https://github.com/laramies/theHarvester — Gathers subdomains using search engines, Shodan, and other OSINT sources
## subdomains-top1million-110000.txt: A wordlist of popular subdomains for brute-force enumeration. Use with tools like gobuster or Sublist3r for effective DNS brute-forcing
# Twitter search
# Twitter search
# Additional methods: https://blog.appsecco.com/a-penetration-testers-guide-to-sub-domain-enumeration-7d842d5570f6
# Archive.Today, with asterisk: https://archive.today/*.example.org
# Additional methods: https://blog.appsecco.com/a-penetration-testers-guide-to-sub-domain-enumeration-7d842d5570f6 https://en.wikipedia.org/wiki/DNS_zone_transfer https://www.domaintools.com/resources/blog/zone-walking-zone-enumeration-via-dnssec-nsec-records/

Latest revision as of 04:51, 11 September 2025

There are several ways to attempt to find subdomains for a given domain.

  1. The methods listed on Site exploration
  2. Use Merklemap: https://www.merklemap.com/ (CLI, paid API)
  3. Use SecurityTrails: https://securitytrails.com/ (Cloudflare JS)
    1. Browser console based API scraper: securitytrails-domain-scraper.js (useful when there is more than one page)
  4. Use Subdomain Finder: https://subdomainfinder.c99.nl/ Paid API also available.
  5. Use Subdomain Center: https://www.subdomain.center/
  6. Use DNSdumpster: https://dnsdumpster.com/
  7. Search Chrome User Experience Report origin lists, which contain domains collected using telemetry in the Chrome browser. See https://archive.org/details/crux_origin_list
  8. Use Cisco Umbrella (OpenDNS) top domains lists: http://s3-us-west-1.amazonaws.com/umbrella-static/index.html
  9. https://osint.sh/subdomain/ (Cloudflare JS)
  10. Certificate transparency logs: https://crt.sh/ as well as https://www.merklemap.com/
  11. Software options:
    1. Subfinder, which includes several of the above methods: https://github.com/projectdiscovery/subfinder
    2. assetfinder: https://github.com/tomnomnom/assetfinder
    3. Knockpy: https://github.com/guelfoweb/knock
    4. dnsenum2: https://github.com/SparrowOchon/dnsenum2
    5. dnsmap: https://github.com/resurrecting-open-source-projects/dnsmap
    6. gobuster: https://github.com/OJ/gobuster
    7. Sublist3r: https://github.com/aboul3la/Sublist3r
    8. Altdns: https://github.com/infosec-au/altdns
    9. Subenum: https://github.com/42zen/subenum
    10. AMASS: https://github.com/OWASP/Amass — A powerful tool for in-depth subdomain enumeration, leveraging various APIs, web scraping, and DNS resolution
    11. The Harvester: https://github.com/laramies/theHarvester — Gathers subdomains using search engines, Shodan, and other OSINT sources
    12. subdomains-top1million-110000.txt: A wordlist of popular subdomains for brute-force enumeration. Use with tools like gobuster or Sublist3r for effective DNS brute-forcing
  12. Twitter search
  13. Archive.Today, with asterisk: https://archive.today/*.example.org
  14. Additional methods: https://blog.appsecco.com/a-penetration-testers-guide-to-sub-domain-enumeration-7d842d5570f6 https://en.wikipedia.org/wiki/DNS_zone_transfer https://www.domaintools.com/resources/blog/zone-walking-zone-enumeration-via-dnssec-nsec-records/
Retrieved from "https://wiki.archiveteam.org/index.php?title=Finding_subdomains&oldid=57284"