Initially, the penetration tester needs to acquire or gather all the possible relevant information about the main domain that a particular organization uses. When information gathering is complete, the tester can look into the subdomains that the organization uses. There could be a possibility that all the subdomain names that exist under the main domain are not being used. The penetration tester should attempt to guess the subdomain names relevant to the organization.
A company named example.com, for example, could have the following easily guessed subdomains:
- cpanel.example.com
- data.example.com
- backup.example.com
- vhost.example.com
- staging.example.com
- api.example.com
- webmail.example.com
- mail.example.com
Most Webmasters put all their efforts in securing their main domain, often ignoring their subdomains. What if an attacker manages to hack into a subdomain and uses it to compromise the main domain?
Depending upon the scope of the pentest, you might also need to test sub-domains for vulnerabilities.
A very common way of searching for sub-domains is by using a simple Google dork. Even though you won’t be able to find all the sub-domains with this method, you can find some important ones.
site: https://example.com -inurl:www
This query is telling the search engine to return results without www, which are normally sub-domains.
A Gitbook is also available which is released by Appsecco on the same topic where they’ve covered all the topics in-depth for enumerating the sub domains.
One of the major role of penetration testing is reconnaissance. The more you gather information,the more you win.
Below is the list of some open source tools/scripts & online scanners through which you can easily enumerate all sub-domains against any target.
[#] Opensource Tools/Scripts
S.No. | Tool Name | Download Link | Author Name |
1 | AltDNS | Github Download | Shubham Shah |
2 | Amass | Github Download | Jeff Foley |
3 | Anubis | Github Download | JonLuca DeCaro |
4 | Aquatone | Github Download | Michael Henriksen |
5 | Bluto | Github Download | Darryl Lane |
6 | Censys subdomain finder | Github Download | Christophe Tafani-Dereeper |
7 | Cleveridge Subdomain Scanner | Github Download | Erwin De Laat |
8 | CT Exposer | Github Download | Christopher B. |
9 | Dnscan | Github Download | Dionach |
10 | Dnsenum | Github Download | Filip Waeytens |
11 | Dnsrecon | Github Download | Carlos Perez |
12 | Domain Analyzer | Github Download | Sebastian Garcia |
13 | DomainRecon | Github Download | Sanjay |
14 | Fierce.pl Domain Scanner | Github Download | Robert Hansen |
15 | Fierce | Github Download | Mike Schwager |
16 | Gobuster | Github Download | OJ Reeves |
17 | Knock Subdomain Scan | Github Download | Gianni Amato |
18 | MassDNS | Github Download | B. Blechschmidt |
19 | SubBrute | Github Download | TheRook |
20 | SubFinder | Github Download | Michael Skelton |
21 | Sublist3r | Github Download | Ahmed Aboul-Ela |
22 | Subquest | Github Download | Nafeez |
23 | SubScraper | Github Download | Mike |
24 | XRAY | Github Download | Simone |
25 | DNS Brute | Nmap Script | Cirrus |
26 | DMitry | Github Download | J Greig |
27 | Assets-from-spf | Github Download | Bharath |
28 | Bi-directional Link Extractor | Github Download | SensePost |
29 | Art of subdomain enumeration | Github Download | Appsecco |
30 | CTFR | Github Download | Sheila A. Berta |
31 | Domains from CSP | Github Download | Bharath |
32 | Dnssearch | Github Download | Simone |
33 | Domained | Github Download | Caleb |
34 | nsec3map – DNSSEC Zone Enumerator | Github Download | – |
35 | Second Order | Github Download | Mohammed Diaa |
36 | theHarvester | Github Download | Christian Martorella |
37 | Vhost Brute | Github Download | Gwendal Le Coguic |
38 | Virtual host scanner | Github Download | Jobert Abma |
38 | Subdomain Bruteforce | Github Download | Justin |
39 | Findomain | Github Download | Eduard Tolosa |
[#] Online Sub-domain Scanners
S.No. | Name | Website Link | Author Name |
1 | Certificate Search | crt.sh | – |
2 | DNS Dumpster | dnsdumpster.com | – |
3 | Certificate Transparency Search Tool | entrust.com | – |
4 | Find subdomains online | findsubdomains.com | – |
5 | Robtex | robtex.com | – |
6 | Security Trails | securitytrails.com | – |
7 | VirusTotal | virustotal.com | – |
8 | Cert DB | certdb.com | – |
9 | Certificate Transparency Monitoring | facebook.com | – |
10 | Certificate transparency | google.com | – |
- Top 50 Most Popular Cybersecurity Tools
- How Paraphrase Tool Helps To Optimize Content
- Best 20 Kali Linux Tools for Hacking and Penetration Testing
- Top 25 Open Source Intelligence Tools
- Online Domain Authority (DA) Rank Checker Websites
- Top 50 Hacking and Penetration Testing Tools [Compiled List 2019]
- Top 10 Essential CTF Tools for Solving Reversing Challenges
- Windows and Linux Privilege Escalation Tools – Compiled List 2019
- Top 10 Most Popular Bruteforce Hacking Tools – 2019 Update
- Top 22 Tools for Solving Steganography Challenges
In my case Sublist3r is the best, I have used it before I event built it online here at nmmapper.com