Subdomain Discovery
Last modified: 2024-02-13
DNS
Reconnaissance
Finding subdomains is a method of reconnaissance.
Automation
Reference: https://medium.com/@DrakenKun/how-to-find-subdomain-takeover-using-httpx-dig-5c2351d380b4
Subfinder
To set API keys, add them to $HOME/.config/subfinder/provider-config.yaml
. See https://docs.projectdiscovery.io/tools/subfinder/install#post-install-configuration for details.
# -all: Use all sources for enumeration
# -cs: Include all sources in the output
subfinder -d example.com -all -cs > tmp.txt ; cat tmp.txt | cut -d "," -f 1 > domains.txt ; rm tmp.txt
BBOT
bbot -t example.com -f subdomain-enum
# After enumerating, see the result file at ~/.bbot/scans/xxxx_xxxx/subdomains.txt
Google Dorks
Use site:
parameter on Google search.
site:example.com
site:*.example.com
site:*.*.example.com
Online Tools
Subdomain Takeover
After enumerating, it’s worth to check the Subdomain Takever.