Difference between revisions of "Finding subdomains"
Jump to navigation
Jump to search
(DNSdumpster) |
(add assetfinder subdomain/domain lister) |
||
Line 11: | Line 11: | ||
# Software options: | # Software options: | ||
## Subfinder, which includes several of the above methods https://github.com/projectdiscovery/subfinder | ## Subfinder, which includes several of the above methods https://github.com/projectdiscovery/subfinder | ||
## assetfinder https://github.com/tomnomnom/assetfinder | |||
## Knockpy https://github.com/guelfoweb/knock | ## Knockpy https://github.com/guelfoweb/knock | ||
## dnsenum2 https://github.com/SparrowOchon/dnsenum2 | ## dnsenum2 https://github.com/SparrowOchon/dnsenum2 |
Revision as of 09:17, 3 March 2024
There are several ways to attempt to find subdomains for a given domain.
- The methods listed on Site exploration
- Use Subdomain Finder: https://subdomainfinder.c99.nl/ Paid API also available.
- Use Subdomain Center: https://www.subdomain.center/
- Use DNSdumpster: https://dnsdumpster.com/
- Search Chrome User Experience Report origin lists, which contain domains collected using telemetry in the Chrome browser. See https://archive.org/details/crux_origin_list
- Use Cisco Umbrella (OpenDNS) top domains lists: http://s3-us-west-1.amazonaws.com/umbrella-static/index.html
- https://osint.sh/subdomain/
- Certificate transparency logs https://crt.sh/
- Software options:
- Subfinder, which includes several of the above methods https://github.com/projectdiscovery/subfinder
- assetfinder https://github.com/tomnomnom/assetfinder
- Knockpy https://github.com/guelfoweb/knock
- dnsenum2 https://github.com/SparrowOchon/dnsenum2
- dnsmap https://github.com/resurrecting-open-source-projects/dnsmap
- gobuster https://github.com/OJ/gobuster
- Sublist3r https://github.com/aboul3la/Sublist3r
- Twitter search
- Additional methods: https://blog.appsecco.com/a-penetration-testers-guide-to-sub-domain-enumeration-7d842d5570f6