Are you wondering the best way to find subdomains?
Learning how to perform subdomain enumeration is crucial, especially if you're part of a penetration testing engagement or doing reconnaissance as part of a bug bounty.
This isn't just a technical task; it's a way to look into a domain's structure. Unveiling hidden subdomains could be key to assessing a wider attack surface.
This article will briefly explain subdomains and why they are important and should not be ignored.
Finally, we will introduce you to tools designed to conduct subdomain enumeration. We will demo tools you can use via the command line or web. Most will be passive, while a couple are classified as active.
Let’s begin.
Table Of Contents
- The Importance of Subdomain Enumeration in an Engagement
- The Best Subdomain Enumeration Tools
- How to Perform Subdomain Enumeration
- Conclusion
- Frequently Asked Questions
The Importance of Subdomain Enumeration in an Engagement
Why is subdomain enumeration an important part of recon in an engagement? Before answering this question, let’s briefly talk about what subdomains are.
What Are Subdomains?
A subdomain is the part of a domain before the registered domain name. For instance, in "mail.example.com," "mail" is the subdomain, and "example.com" is the registered domain.
Subdomains allow owners to delegate control of different parts of their domain to different people or applications. For example, they could have "support.example.com" and "blog.example.com" as separate subdomains with separate purposes.
Subdomains must always start with a hostname before the registered domain. Common hostnames used for subdomains include "www," "mail," "vpn," "dev," "admin," etc.
Using subdomains can help organize larger or multiple domains and divide them logically for users. For example, many organizations use specific subdomains like "careers.example.com" to list job opportunities and provide the ability to apply online or "dev.example.com." where companies may stage or test new website functionality in development.
Subdomains can function similarly to independent valid domains regarding hosting and DNS configurations. They have DNS records, directing them to unique IP addresses or specific server directories.
Why Look For Subdomains?
Let’s discuss the importance of performing subdomain enumeration.
When engaging in a penetration test, you must follow a methodology that includes the steps you need to perform and in which order to perform them.
The process typically begins with initial planning and preparation, followed by the second crucial step: reconnaissance. This phase involves gathering as much information as possible about the target and laying the groundwork for subsequent technical steps.
One of the key elements when working on a web or external/internal penetration test is subdomain enumeration. Enumeration is the process of identifying all the subdomains associated with a company's domain.
This same methodology can be helpful when doing recon for bug bounties.
So, what are some important aspects of performing this type of enumeration?
It expands the attack surface.
Any subdomains discovered become new potential vectors for attack. Finding more subdomains means more angles from which to test for vulnerabilities. Things like administrative interfaces, test servers, or other apps may run on subdomains.
It reveals more information.
Each subdomain provides more information about the target organization's domain structure, technologies used, naming conventions, etc. This information helps you build a more accurate profile of the target environment.
It helps bypass security controls.
Some penetration testing activities may get blocked or detected by outward-facing web application firewalls or intrusion detection systems. If more relaxed security is placed on certain internal or obscure subdomains, you may be able to leverage those to bypass certain controls.
It uncovers hidden assets.
In some engagements, the client may not have provided you with a full scope of all Internet-facing assets. Enumerating subdomains can reveal web apps, servers, databases, or other assets the client was unaware of. Finding these alerts the client about the assets they need to protect.
The Best Subdomain Enumeration Tools
What tools are available that perform subdomain enumeration? Here are ten highly effective options.
1. Google Dorking
Google Dorking is a passive subdomain enumeration technique using Google's advanced search operators, like "site:" to find information about a target, including subdomains. It’s a way of leveraging Google's indexing to discover subdomains that are publicly accessible or have been indexed by Google at some point.
Explore the Power of Google Dorking
Google Dorks Cheat Sheet: How to Hack Using Google
The Top 15 Google Dorking Commands You Need To Know
2. Sublist3r
A Python-based tool designed to enumerate subdomains using OSINT. Sublist3r gathers information from various search engines and third-party services like VirusTotal and ReverseDNS.
3. Amass
Amass is an in-depth attack surface mapping and asset discovery tool. It can operate in both passive and active modes. In passive mode, it aggregates data from various public sources. It can also connect to outside services using API keys.
4. Recon-ng
A full-featured reconnaissance framework with API integration, similar in look and feel to the Metasploit Framework, aimed at reducing the time spent on a reconnaissance phase. Recon-ng has various modules, including those for finding subdomains, though its primary use isn't limited to subdomain enumeration.
5. SubDomainizer
SubDomainizer is primarily designed to uncover hidden subdomains associated with a given URL. This is achieved by analyzing inline JavaScript files, it searches for any references to subdomains. It can also identify URLs related to various cloud storage services.
6. Pentest Tools Subdomain Finder
Part of the suite provided by Pentest Tools, this tool specifically focuses on discovering subdomains of a given domain. It's a web-based service that gathers data from various public sources.
7. crt.sh
A simple yet powerful tool that leverages certificate transparency logs to find subdomains. crt.sh searches SSL/TLS certificates to find domain names and subdomains, providing an extensive list based on certificates issued.
8. Shodan
Shodan is not a traditional subdomain enumeration tool but can be used to discover subdomains hosting internet-facing services. It scans the internet and indexes information from exposed devices and services, which can include subdomain information.
9. PureDNS
A domain resolver and subdomain brute forcing tool that efficiently handles wildcard subdomains and avoids DNS poisoning. PureDNS is primarily used for actively querying DNS servers to resolve or brute force subdomains.
10. ffuf (Fuzz Faster U Fool)
ffuf is a fast web fuzzer written in Go and used for brute forcing. It can discover subdomains by brute forcing them with a given wordlist. It's an active tool that directly sends requests to the target's servers.
How to Perform Subdomain Enumeration
Let's show you how some of the above tools can be used to find subdomains.
For our demos, we are using only domains that are part of a public bug bounty program and where subdomains are part of the scope per program policies.
Ensure you only use these tools on domains you are allowed to test on. Before beginning testing, ensure you thoroughly read and understand program authorization and out-of-scope rules.
If you're conducting a penetration test, it's imperative that you fully understand and adhere to the rules of engagement, which outline the scope, boundaries, and permissible methods of your testing activities.
Some of the following tools require you to download and run them locally from your machine. Operating systems like Kali Linux or Parrot OS are often preferred for this purpose due to their collection of pre-installed tools.
Google Dorking
One of the simplest ways to start looking for subdomains is by using Google, specifically a Google Dork. We will use the following dork for our demo to find subdomains associated with our target.
site:*.domain.com -www
Let’s break it down.
site:domain.com: This part of the dork tells Google to search only within domain.com.
The asterisk (*): This is a wildcard that matches all subdomains of domain.com. It only looks for any subdomains like subdomain.domain.com.
-www: This part excludes any results containing www. The minus sign (-) is used to negate a search term, so in this case, it filters out results that include www.
Sublist3r
Sublist3r is a user-friendly tool that offers customization through various flags. These allow for functionalities like saving results to a file or scanning discovered subdomains for specific TCP ports.
To search for subdomains of a specific domain, we use the following command with the '-d' flag to denote the target domain for enumeration.
sublist3r -d domain.com
Amass
Another tool to have in your arsenal is OWASP’s Amass. It can be a very powerful tool to help you locate information. For our demo, we are only showing you the most basic usage of its functionality. As mentioned above, it can connect to other services with its API integration, making it even better.
Simply enter amass enum -passive -d domain.com -o subdomains.txt, which saves the output to a file.
Once you have your output file, you can clean it up with sed and grep to create a nice list of subdomains for further recon.
cat output.txt | sed 's/\x1b\[[0-9;]*m//g' | grep -oP '(?<=\s)[a-zA-Z0-9.-]*\.(com)' > cleaned_subdomains.txt
Recon-ng
Recon-ng, the all-in-one reconnaissance tool for OSINT, can perform various tasks, including gathering emails. However, in this instance, we will focus on using it to identify subdomains. We will quickly walk you through setting it up to perform this task.
Start Recon-ng from the command line with:
recon-ng
From this point, let’s continue with the default workspace. Our next task is to install the module we need to use, and you can search for it with the command:
marketplace search
The one we are interested in is hackertarget.
Ours is already installed. To install the module, simply enter marketplace install hackertarget. To load the module and begin using it, enter modules load hackertarget.
Now we can quickly set up the module and enumerate subdomains. To check what options need to be set, enter info. For this module, you only need to set the SOURCE option, which is the domain you want to enumerate.
options set SOURCE domain.com
Then type run
Once the scan finishes, you can enter show hosts, and you will be presented with all the subdomains found.
SubDomainizer
SubDomainizer is a tool that not only performs subdomain enumeration but can also find other secrets, such as API keys. It’s an easy-to-use tool with simple syntax to get it up and running. Simply enter the following command to get a nice clean list of subdomains.
python3 SubDomainizer.py -u https://www.domain.com
Pentest Tools Subdomain Finder
A simple web-based tool that allows you to do subdomain enumeration quickly. You can perform scans without an account, but if you want access to more scans and more tools, they do have a free account you can sign up for.
Enter your desired domain here, and it will perform a light scan.
You will then be presented with your results.
crt.sh
Here is a simple way to gather subdomains by utilizing certificate transparency. This approach is based on the principle that all SSL/TLS certificates are logged and made publicly accessible.
Simply head to crt.sh and enter your domain.
Select “Search” to generate a list of subdomains for your target domain. For command-line enthusiasts, similar functionality can be accessed using tools like CTFR.
Shodan
Shodan can locate subdomains and offers both web-based and command-line interfaces. To find subdomains using the web interface, visit https://www.shodan.io/domain/domain.com, replacing “domain.com” with the domain you are investigating.
To use Shodan from the command line, type shodan domain domain.com, replacing domain.com with the domain you wish to search.
For guidance on setting up Shodan and exploring its other features, see How to Use Shodan for Pentesting: A Step-By-Step Guide.
PureDNS
PureDNS can perform fast subdomain enumeration by enabling thousands of simultaneous DNS requests per second using public resolvers. To find subdomains, enter puredns bruteforce mywordlist.txt -r resolvers.txt domain.com -l 5000
The command instructs PureDNS to conduct a brute force subdomain enumeration for domain.com, using a list of potential subdomain names from mywordlist.txt and performing DNS lookups through a set of DNS resolvers provided in resolvers.txt. It limits the rate of DNS queries to 5000 per second.
Once complete, you will be shown the output.
ffuf
The final tool on our list is ffuf, which, similar to PureDNS, employs a more active approach to enumeration. It takes a given wordlist and checks each entry by making HTTP/S requests, thereby determining which subdomains exist.
You can use the following command, which will fuzz for subdomains, save the output file as HTML, and set a delay of two seconds between requests.
ffuf -w wordlist -u https://FUZZ.domain.com -of html -o result -p 2
Conclusion
You should now understand how to perform subdomain enumeration and which tools you can use.
Once you have your list of subdomains, your next step should be to check which ones are active or “alive.” After confirming which subdomains are valid, you can proceed to the scanning phase, where you'll conduct more in-depth enumeration and analysis of these subdomains.
If you want to enhance your cyber security career, join our Accelerator program today. Learn more about penetration testing or bug bounties with some of our courses and take advantage of other perks, such as our career roadmap.
4.8
★★★★★
4.9
★★★★★
Learn Website Hacking / Penetration Testing From Scratch
4.8
★★★★★
Frequently Asked Questions
What is the best tool for subdomain enumeration?
There is no one best tool for subdomain enumeration. Each tool has its benefits, and a well-rounded approach includes using many tools and is the key to successfully finding as many subdomains as possible.
Is subdomain enumeration passive or active?
This depends on what tool or technique you are using. Most subdomain enumeration is classified as passive as it doesn’t interact with the target in any way. Tools like Sublist3r, crt.sh, and Google Dorking are passive tools, while Amass can operate passively and actively. Tools like ffuf or PureDNS actively interact with the target.
Can Nmap perform subdomain enumeration?
Nmap can perform a form of subdomain enumeration using the DNS brute script, part of its Nmap Scripting Engine (NSE). The “dns-brute” script is specifically designed to enumerate DNS subdomains by trying each entry from a wordlist of known subdomains and seeing if they resolve.
Level Up in Cyber Security: Join Our Membership Today!
MEMBERSHIP
Richard Dezso Richard is a cyber security enthusiast, eJPT, and ICCA who loves discovering new topics and never stops learning. In his home lab, he's always working on sharpening his offensive cyber security skills. He shares helpful advice through easy-to-understand blog posts that offer practical support for everyone. Additionally, Richard is dedicated to raising awareness for mental health. You can find Richard on LinkedIn, or to see his other projects, visit his Linktree.
