Discovering subdomains

Early in a pentest it may be helpful to enumerate all the subdomains of a domain in scope. This article lists some tools that do that.

Tools

• altdns
• amass
• anubis
• aquatone
• bluto
• censys-subdomain-finder
• Cleveridge Subdomain Scanner
• ct-exposer
• DMitry
• dnscan
• dnsenum.pl
• dnsrecon
• Domain analyzer
• DomainRecon
• Fierce
• Fierce
• findomain
• gobuster
• Knockpy
• ldns-walk
• massdns
• nmap dns-brute
• nsec3walker
• recon-ng
• subbrute
• subEnum
• SubFinder
• Sublist3r
• subquest
• SubScraper
• xray

Websites

• crt.sh
• DNSDumpster
• Entrust Certificate Transparency Search Tool
• FindSubDomains
• Robtex
• SecurityTrails
• VirusTotal

Datasets

• Certificate transparency logs
• SecLists brute-force lists
• Sonar forward DNS

Discovering domains

I most often use Sublist3r to enumerate subdomains. If I want something custom, I write a loop in bash:

for i in `seq 1 100`; do host server$i.example.com; done

Keeping secret domains secret

If you are working for a client, keep in mind that some tools may expose the found domain names. Earlier versions of Anubis, for example, would send all found domains to a central database. Also, querying for a domain on a website such as VirusTotal may expose that domain to others.

Don’t write another tool

As you can see, the list above is pretty long. If you are thinking about building yet another tool, consider contributing to any of the listed projects intead.