Subdomain Discovery

Last modified: 2024-07-28

Finding subdomains is a method of reconnaissance.

Online Tools

Subdomain Finder
nmmapper

Automation

Reference: How to find subdomain takeover using httpx + dig

Subfinder

To set API keys, add them to $HOME/.config/subfinder/provider-config.yaml. See the ProjectDiscovery's Documentation for details.

# -all: Use all sources for enumeration
# -cs: Include all sources in the output
subfinder -d example.com -all -cs > tmp.txt ; cat tmp.txt | cut -d "," -f 1 > domains.txt ; rm tmp.txt

BBOT

bbot -t example.com -f subdomain-enum
# After enumerating, see the result file at ~/.bbot/scans/xxxx_xxxx/subdomains.txt

Google Dorks

Use site: parameter on Google search.

site:example.com
site:*.example.com
site:*.*.example.com

# Subdomains including hyphen ('-') e.g. api-dev.example.com
site:*-*.example.com

# Exclude 'www' domain
site:*.example.com -site:www.example.com

Subdomain Takeover

After enumerating, it’s worth to check the Subdomain Takever.

OSINT

Search Technique

Network

Subdomain

Others