In the post, Shpend provides a list of public resources that help in subdomain discovery:
- Search engines (Google, Bing, Yahoo, Baidu)
- https://virustotal.com/ - Search for “domain:target.com” and virustotal will provide extensive information in addition to Observed subdomains, which is a list of all subdomains it knows about.
- https://dnsdumpster.com - The name says it all. Enter the target domain, hit search, profit!
- https://crt.sh/?q=%25target.com - Sometimes SSL is a goldmine of information. Use this site by searching for “%target.com” and it’ll get back with subdomains to you. Easy win.
- https://censys.io - Not greatbut has some useful information sometimes.
- http://searchdns.netcraft.com/ - Another to keep an eye on.
- https://www.shodan.io - Shodan is an infrastuture based spider with an associated information caching database that is made prodominatly for security proffessinoals. It has historical and current data on a large swath of the internet’s servers, including seen-subdomains, server versioning, and much more.
And a list of bruteforce tools:
- Subbrute - A DNS meta-query spider that enumerates DNS records, and subdomains.
- dnscan - a python wordlist-based DNS subdomain scanner.
- Nmap - Yes it’s a port scanner, but it can bruteforce subdomains too (check nmap scripts)
- Recon-Ng - The recon-ng framework has a brute_hosts module that allows to bruteforce subdomains.
- DNSRecon - A powerful DNS enumeration script
- Fierce - A semi-lightweight enumeration scanner
- Gobuster - Alternative directory and file busting tool written in Go
- DNSenum - Offers recursive and threaded subdomain enumeration.
- AltDNS - offers bruteforcing based on permutations of already found domains
Know of any more tools we missed? Or thoughts on this topic? Please share!