Difference between revisions of "Finding subdomains"

From Archiveteam
Jump to navigation Jump to search
m (Added Cloudflare note to SecurityTrail and added grammatical `:`s for consistency where appropriate.)
(mention auth requirement, bugmenot, more cloudflare JS mentions)
Line 2: Line 2:


# The methods listed on [[Site exploration]]
# The methods listed on [[Site exploration]]
# Use SecurityTrail: https://securitytrails.com/ Behind Cloudflare DDoS protection as of 2024-07-07.
# Use SecurityTrail: https://securitytrails.com/ (subdomains requires auth, [https://bugmenot.com/view/securitytrails.com bugmenot has working logins])  (Cloudflare JS)
# Use Subdomain Finder: https://subdomainfinder.c99.nl/ Paid API also available.
# Use Subdomain Finder: https://subdomainfinder.c99.nl/ Paid API also available.
# Use Subdomain Center: https://www.subdomain.center/
# Use Subdomain Center: https://www.subdomain.center/
Line 8: Line 8:
# Search Chrome User Experience Report origin lists, which contain domains collected using telemetry in the Chrome browser. See https://archive.org/details/crux_origin_list
# Search Chrome User Experience Report origin lists, which contain domains collected using telemetry in the Chrome browser. See https://archive.org/details/crux_origin_list
# Use Cisco Umbrella (OpenDNS) top domains lists: http://s3-us-west-1.amazonaws.com/umbrella-static/index.html
# Use Cisco Umbrella (OpenDNS) top domains lists: http://s3-us-west-1.amazonaws.com/umbrella-static/index.html
# https://osint.sh/subdomain/
# https://osint.sh/subdomain/ (Cloudflare JS)
# Certificate transparency logs: https://crt.sh/
# Certificate transparency logs: https://crt.sh/
# Software options:
# Software options:

Revision as of 04:16, 8 July 2024

There are several ways to attempt to find subdomains for a given domain.

  1. The methods listed on Site exploration
  2. Use SecurityTrail: https://securitytrails.com/ (subdomains requires auth, bugmenot has working logins) (Cloudflare JS)
  3. Use Subdomain Finder: https://subdomainfinder.c99.nl/ Paid API also available.
  4. Use Subdomain Center: https://www.subdomain.center/
  5. Use DNSdumpster: https://dnsdumpster.com/
  6. Search Chrome User Experience Report origin lists, which contain domains collected using telemetry in the Chrome browser. See https://archive.org/details/crux_origin_list
  7. Use Cisco Umbrella (OpenDNS) top domains lists: http://s3-us-west-1.amazonaws.com/umbrella-static/index.html
  8. https://osint.sh/subdomain/ (Cloudflare JS)
  9. Certificate transparency logs: https://crt.sh/
  10. Software options:
    1. Subfinder, which includes several of the above methods: https://github.com/projectdiscovery/subfinder
    2. assetfinder: https://github.com/tomnomnom/assetfinder
    3. Knockpy: https://github.com/guelfoweb/knock
    4. dnsenum2: https://github.com/SparrowOchon/dnsenum2
    5. dnsmap: https://github.com/resurrecting-open-source-projects/dnsmap
    6. gobuster: https://github.com/OJ/gobuster
    7. Sublist3r: https://github.com/aboul3la/Sublist3r
    8. Altdns: https://github.com/infosec-au/altdns
  11. Twitter search
  12. Archive.Today, with asterisk: https://archive.today/*.example.org
  13. Additional methods: https://blog.appsecco.com/a-penetration-testers-guide-to-sub-domain-enumeration-7d842d5570f6
Retrieved from "https://wiki.archiveteam.org/index.php?title=Finding_subdomains&oldid=52668"