How can I find subdomains of a site?

  • One of the things I need to do from time to time is to find subdomains of a site for example.

    Starting with


    I'm looking for any additional ways to perform recon on these targets and I want to get a list of all the subdomains of a domain.

    I'm currently doing a number of things inlcuding

    • using maltego to crawl for info
    • Using search engines to search for subdomains
    • crawling site links
    • Examining DNS records
    • Examining incorrectly configured SSL certificates
    • Guessing things like ''

    I reckon there are more than the ones i've found so far, but now I'm out of ideas.

    There is another post on stackoverflow that's quite good: [List of Subdomains][1] [1]:

    Then there is only one way - do it like maltego: make educated guesses...

    I would try it with knock ( but watch out: there is a risk of being blacklisted.

    There's a python script called that should be able to help you out... Have a search on google

    FYI it can be found on the website, but the old link posted on SecurityTube wiki page is dead (albeit it does have usage example which is of course defined in `usage()` anyway). Judging by source code, what it does is it collates data from three major search engines (yahoo, msn, google) and to me obscure website `` that seems to be an email scrapper.

    You could even ask google! But this won't be a complete list!

  • rook

    rook Correct answer

    8 years ago

    As a pentester being able to find the subdomains for a site comes up often. So I wrote a tool, SubBrute that does this quite well if I do say so my self. In short, this is better than other tools (fierce2) in that its a lot faster, more accurate and easier to work with. This tool comes with a list of real subdomains obtained from spidering the web. This subdomain list is more than 16 times the size of fierce2 and subbrute will take about 15 minutes to exhaust this list on a home connection. The output is a clean newline separated list, that is easy to use as the input for other tools like nmap or a web application vulnerability scanner.

    Awesome, i'll check it out. Any idea how well it compares to 'knock'?

    @D3C4FF idk i haven't used knock, i'll have to check that out. I expect that the subdomain brute force feature is better than knock.

    @D3C4FF knock is crap.

    @Rook but knock have the ability to try domaintransfers (even you need some luck to get one)

    @Dr.Ü yes I will add that simple feature. But as you said, it doesn't work all of the time. As a note subbrute has more code, and is more complex without the addition of domain transfers.

    All glory be to Rook. I used the tool in a live test today and it worked like a charm. It only missed one out of two dozen sub domains which was named *mywebreading*

    @D3C4FF hell yeah, I'm glad it did the trick ;)

    @Rook just a quick idea regarding subbrute, add the option to resolve (and print out) the IP address from the found hostnames as well. I made that change and it helped with a few tests where certain ranges were out of scope even though they were subdomains. Thanks again!

License under CC-BY-SA with attribution

Content dated before 7/24/2021 11:53 AM