Subdomain Discovery

Last modified: 2023-10-05

DNS Reconnaissance

Finding subdomains is a method of reconnaissance.


subfinder -d
subfinder -d -o domains.txt

./scripts/ lists/names.txt | ./bin/massdns -r lists/resolvers.txt -t A -o S > results.txt

# Using wordlist
knockpy -w /usr/share/seclists/Discovery/DNS/subdomains-top1million-5000.txt

printf | gau
cat domains.txt | gau --threads 5

python3 -d

# This sends requests a target web server directly so be careful
# -mc: Match status code
ffuf -u -w wordlist.txt -mc 200,301,302,403

gobuster dns -d -w wordlist.txt
# -r: Custome DNS resolver. Specify the target ip address.
gobuster dns -d -w subdomains.txt -r

amass enum -d -v

# *required to set GitHub token
github-subdomains -d

Manual Discovery

We can also find subdomains using Google Dorks.