Subdomain Discovery
Last modified: 2023-03-02
Finding subdomains is a method of reconnaissance.
Automation
# https://github.com/projectdiscovery/subfinder
subfinder -d example.com
# https://github.com/blechschmidt/massdns
./scripts/subbrute.py lists/names.txt example.com | ./bin/massdns -r lists/resolvers.txt -t A -o S > results.txt
# https://github.com/guelfoweb/knock
knockpy vulnerable.com
# Using wordlist
knockpy -w /usr/share/seclists/Discovery/DNS/subdomains-top1million-5000.txt vulnerable.com
# https://github.com/lc/gau
printf example.com | gau
# https://github.com/aboul3la/Sublist3r
python3 sublist3r.py -d example.com
Also we can use directory discovery tools.
# -mc: Match status code
ffuf -u https://FUZZ.example.com -w wordlist.txt -mc 200,301,302,403
gobuster dns -d example.com -w wordlist.txt
Manual Discovery
We can also find subdomains using Google Dorks.
site:example.com