Subdomain Discovery
Last modified: 2023-10-05
DNS
Reconnaissance
Finding subdomains is a method of reconnaissance.
Automation
# https://github.com/projectdiscovery/subfinder
subfinder -d example.com
subfinder -d example.com -o domains.txt
# https://github.com/blechschmidt/massdns
./scripts/subbrute.py lists/names.txt example.com | ./bin/massdns -r lists/resolvers.txt -t A -o S > results.txt
# https://github.com/guelfoweb/knock
knockpy vulnerable.com
# Using wordlist
knockpy -w /usr/share/seclists/Discovery/DNS/subdomains-top1million-5000.txt vulnerable.com
# https://github.com/lc/gau
printf example.com | gau
cat domains.txt | gau --threads 5
# https://github.com/aboul3la/Sublist3r
python3 sublist3r.py -d example.com
# This sends requests a target web server directly so be careful
# -mc: Match status code
ffuf -u https://FUZZ.example.com -w wordlist.txt -mc 200,301,302,403
gobuster dns -d example.com -w wordlist.txt
# -r: Custome DNS resolver. Specify the target ip address.
gobuster dns -d example.com -w subdomains.txt -r 10.0.0.1
# https://github.com/owasp-amass/amass
amass enum -d example.com -v
# https://github.com/gwen001/github-subdomains
# *required to set GitHub token
github-subdomains -d example.com
Manual Discovery
We can also find subdomains using Google Dorks.
site:example.com