Subdomain Discovery

Last modified: 2023-03-02

DNS Reconnaissance

Finding subdomains is a method of reconnaissance.

Automation

# https://github.com/projectdiscovery/subfinder
subfinder -d example.com

# https://github.com/blechschmidt/massdns
./scripts/subbrute.py lists/names.txt example.com | ./bin/massdns -r lists/resolvers.txt -t A -o S > results.txt

# https://github.com/guelfoweb/knock
knockpy vulnerable.com
# Using wordlist
knockpy -w /usr/share/seclists/Discovery/DNS/subdomains-top1million-5000.txt vulnerable.com

# https://github.com/lc/gau
printf example.com | gau

# https://github.com/aboul3la/Sublist3r
python3 sublist3r.py -d example.com

Also we can use directory discovery tools.

# -mc: Match status code
ffuf -u https://FUZZ.example.com -w wordlist.txt -mc 200,301,302,403

gobuster dns -d example.com -w wordlist.txt

Manual Discovery

We can also find subdomains using Google Dorks.

site:example.com

OSINT

nmmapper

Exploits related to Reconnaissance

Others

Subdomain Discovery

Automation

Manual Discovery

OSINT

Tools by HDKS