Subdomain Discovery

Last modified: 2023-10-05

DNS Reconnaissance

Finding subdomains is a method of reconnaissance.

Automation

# https://github.com/projectdiscovery/subfinder
subfinder -d example.com
subfinder -d example.com -o domains.txt

# https://github.com/blechschmidt/massdns
./scripts/subbrute.py lists/names.txt example.com | ./bin/massdns -r lists/resolvers.txt -t A -o S > results.txt

# https://github.com/guelfoweb/knock
knockpy vulnerable.com
# Using wordlist
knockpy -w /usr/share/seclists/Discovery/DNS/subdomains-top1million-5000.txt vulnerable.com

# https://github.com/lc/gau
printf example.com | gau
cat domains.txt | gau --threads 5

# https://github.com/aboul3la/Sublist3r
python3 sublist3r.py -d example.com

# This sends requests a target web server directly so be careful
# -mc: Match status code
ffuf -u https://FUZZ.example.com -w wordlist.txt -mc 200,301,302,403

gobuster dns -d example.com -w wordlist.txt
# -r: Custome DNS resolver. Specify the target ip address.
gobuster dns -d example.com -w subdomains.txt -r 10.0.0.1

# https://github.com/owasp-amass/amass
amass enum -d example.com -v

# https://github.com/gwen001/github-subdomains
# *required to set GitHub token
github-subdomains -d example.com



Manual Discovery

We can also find subdomains using Google Dorks.

site:example.com



OSINT