Discovering subdomains of a domain is an essential function of hacking reconnaissance, and thanks to post-obit online tools, which brand life easier.

Having an unsecured subdomain can lead to a serious risk to your business organisation, and lately, there have been some security incidents where the hacker used subdomains tricks.

The most recent one was Vine, where the entire code was available to download from a vulnerably exposed subdomain.

If you are a website owner or security researcher, you lot tin can use the following tools to find the subdomains of any domain.

Subdomains Lookup Tools

Subdomains Lookup tools past WhoisXML API let users to find a domain name'due south subdomains easily. The subdomains product line is fueled by a comprehensive repository that includes ii.3+ billion subdomain records with 1+ million subdomains added daily.

subdomain-lookup

The tools permit researching any target domain name and reveal the list of all subdomains found for the domain with timestamps of the beginning time the record was seen and the last update for a specific record.

The product line includes a/an:

  • API with output queries in XML and JSON formats for easy integration
  • Data feed with files bachelor in unified and consistent CSV format, updated both on a daily and weekly basis. Download the CSV sample to exam the data in your environment
  • GUI lookup tool that creates reports with shareable links

Check this product sail to acquire how WhoisXML API'south subdomain data can lucifer specific data requirements.

DNS Dumpster

DNSDumpster is a domain research tool to discover host-related information. It's the HackerTarget.com project.

Not just subdomain, only it gives yous information almost DNS server, MX tape, TXT record, and excellent mapping of your domain.

dnsdumpster

NMMAPPER

An online tool to find subdomains using Anubis, Aggregate, DNScan, Sublist3r, Lepus, Censys, etc.

nmmapper

I tried NMMAPPER for one of the domains, and the results were accurate. Get ahead and give it a try for your enquiry works.

Sublist3r

Sublist3r is a python tool to find subdomains using a search engine. Currently, it supports Google, Yahoo, Bing, Baidu, Ask, Netcraft, Virustotal, ThreatCrowd, DNSdumpster, and PassiveDNS.

Sublist3r is supported merely on Python two.vii version and has few dependencies in a library.

Y'all can use this tool on Windows, CentOS, Rehat, Ubuntu, Debian, or any other UNIX-based Os. The post-obit example is from CentOS/Linux.

  • Login to your Linux server
  • Download latest Sublist3r
          wget https://github.com/aboul3la/Sublist3r/archive/master.zip .

Extract the downloaded file

          unzip principal.zip
  • It will create a new folder called "Sublist3r-master"

As I mentioned before, it has the following dependencies, and you tin can install it using a yum control.

          yum install python-requests python-argparse

Now you are ready to discover the subdomain by using the post-obit command.

          ./sublist3r.py -d yourdomain.com
sublist3r

As you tin see, information technology did discover my subdomains.

Netcraft

Netcraft has a large number of domain databases, and you don't desire to miss this in finding public subdomain information.

netcraft-subdomain

The search outcome will comprise all the domains and subdomains with first seen, netblock, and Os data.

If you need more information about the website, click on-site report, and you will be given tons of information most technologies, ranking, etc.

netcraft-results

Detectify

Detectify can scan subdomains against hundreds of pre-defined words, but you can't exercise this to a domain you don't own.

Notwithstanding, if y'all have authorized a user, you lot can enable subdomain discovery in the overview under settings.

detectify-subdomain

SubBrute

SubBrute is one of the nigh popular and accurate subdomain enumeration tools. It'south a community-driven projection, and it uses the open resolver as a proxy, then SubBrute doesn't send traffic to the domain's name servers.

It'south not an online tool, and you need to install this on your computer. You lot can use Windows or UNIX-based OS, and installation is very piece of cake. The following demonstration is based on CentOS/Linux.

  • Log in to your CentOS/Linux
  • Download the latest SubBrute
          wget https://github.com/TheRook/subbrute/archive/primary.zip .
  • Unzip the downloaded zero file
          unzip main.zip

It volition create a new folder called "subbrute-master". Become inside the binder and execute the subbrute.py with the domain.

          ./subbrute.py yourdomain.com

Information technology will take a few seconds and outcome in you with any subdomain institute.

Knock

Knock is another python-based subdomain discovery tool tested with Python two.7.6 version. It finds the subdomain of a target domain using a wordlist.

  • Yous tin can download and install this on a Linux-based Bone.
          wget https://github.com/guelfoweb/knock/archive/knock3.zippo .
  • Extract the downloaded zip file with unzip command
          unzip knock3.zip
  • it will excerpt and create a new folder, "knock-knock3."
  • Go inside this binder and install with the following command
          python setup.py install

Once installed, you tin can scan for subdomains by following

          ./knockpy.py yourdomain.com

DNSRecon on Kali Linux

Kali Linux is an excellent platform for a security researcher, and you can utilise DNSRecon on Kali without installing anything.

It checks all NS records for zone transfers, overall DNS records, wildcard resolution, PTR record, etc.

To use DNSRecon, execute the following, and you are all done.

          dnsrecon –d yourdomain.com
dnsrecon

Pentest-tools search for subdomain using multiple methods like DNS zone transfer, DNS enumeration based on wordlist, and public search engine.

pentest-subdomain

You tin salve the output in PDF format.

MassDNS

If you want to resolve domain names in majority, MassDNS is the tool for you. This tool can resolve over 350,000 domain names per second! Information technology uses publicly available resolvers, and it is suited for people who want to resolve millions or fifty-fifty billions of domain names.

MassDNS
Source: Github

Ane issue you may face while using this tool is that it may increase the load on public resolvers and lead to your IP address beingness flagged for abuse. Therefore, this tool must be used with circumspection.

OWASP Amass

Aggregate has been created to help information security professionals perform network mapping of assault surfaces and perform external asset discovery.

OWASP Amass
Source: Github

The tool is entirely free to use, and its clientele includes the leading IT visitor Accenture.

Conclusion

By using the above tools, I promise yous should be able to discover subdomains of the target domain for your security enquiry. You may also desire to attempt an online port scanner.

If yous are interested in learning ethical hacking, check out this course.