How can I find subdomains of a site?
One of the things I need to do from time to time is to find subdomains of a site for example.
Starting with example.com
I'm looking for any additional ways to perform recon on these targets and I want to get a list of all the subdomains of a domain.
I'm currently doing a number of things inlcuding
- using maltego to crawl for info
- Using search engines to search for subdomains
- crawling site links
- Examining DNS records
- Examining incorrectly configured SSL certificates
- Guessing things like 'vpn.example.com'
I reckon there are more than the ones i've found so far, but now I'm out of ideas.
There is another post on stackoverflow that's quite good: [List of Subdomains] : http://stackoverflow.com/questions/131989/how-do-i-get-a-list-of-all-subdomains-of-a-domain
I would try it with knock (http://code.google.com/p/knock/) but watch out: there is a risk of being blacklisted.
There's a python script called subdomainer.py that should be able to help you out... Have a search on google
FYI it can be found on the edge-security.com website, but the old link posted on SecurityTube wiki page is dead (albeit it does have usage example which is of course defined in `usage()` anyway). Judging by source code, what it does is it collates data from three major search engines (yahoo, msn, google) and to me obscure website `pgp.rediris.es` that seems to be an email scrapper.
As a pentester being able to find the subdomains for a site comes up often. So I wrote a tool, SubBrute that does this quite well if I do say so my self. In short, this is better than other tools (fierce2) in that its a lot faster, more accurate and easier to work with. This tool comes with a list of real subdomains obtained from spidering the web. This subdomain list is more than 16 times the size of fierce2 and subbrute will take about 15 minutes to exhaust this list on a home connection. The output is a clean newline separated list, that is easy to use as the input for other tools like nmap or a web application vulnerability scanner.
@D3C4FF idk i haven't used knock, i'll have to check that out. I expect that the subdomain brute force feature is better than knock.
@Rook but knock have the ability to try domaintransfers (even you need some luck to get one)
@Dr.Ü yes I will add that simple feature. But as you said, it doesn't work all of the time. As a note subbrute has more code, and is more complex without the addition of domain transfers.
All glory be to Rook. I used the tool in a live test today and it worked like a charm. It only missed one out of two dozen sub domains which was named *mywebreading*