Subdomain Discovery

Last modified: 2024-02-13

DNS Reconnaissance

Finding subdomains is a method of reconnaissance.

Automation

Reference: https://medium.com/@DrakenKun/how-to-find-subdomain-takeover-using-httpx-dig-5c2351d380b4

Subfinder

To set API keys, add them to $HOME/.config/subfinder/provider-config.yaml. See https://docs.projectdiscovery.io/tools/subfinder/install#post-install-configuration for details.

# -all: Use all sources for enumeration
# -cs: Include all sources in the output
subfinder -d example.com -all -cs > tmp.txt ; cat tmp.txt | cut -d "," -f 1 > domains.txt ; rm tmp.txt

BBOT

bbot -t example.com -f subdomain-enum
# After enumerating, see the result file at ~/.bbot/scans/xxxx_xxxx/subdomains.txt

Google Dorks

Use site: parameter on Google search.

site:example.com
site:*.example.com
site:*.*.example.com

Online Tools

nmmapper

Subdomain Takeover

After enumerating, it’s worth to check the Subdomain Takever.

OSINT

Search Technique

Network

Subdomain

Others